VYPR
researchPublished Jul 2, 2026· 1 source

Anthropic's Claude Cowork Sandbox Bypassed, Allowing Root-Level Command Execution

A vulnerability chain in Anthropic's Claude Cowork for Windows allows local code execution to escalate privileges to root within the product's Linux sandbox, bypassing security protections.

Researchers have uncovered a critical vulnerability chain affecting Anthropic's Claude Cowork for Windows, enabling attackers with initial local code execution to escalate privileges to root within the product's isolated Linux sandbox. This exploit bypasses multiple layers of security designed by Anthropic to protect the environment.

Claude Cowork is designed for knowledge workers, allowing them to leverage Claude Code for data processing and tool building. On Windows, the product encapsulates Claude Code within a Hyper-V-isolated Ubuntu virtual machine. This VM is protected by various security measures, including Authenticode-gated named-pipe RPC, bubblewrap namespaces, unprivileged user accounts, a seccomp filter, and a domain-restricted egress proxy.

The vulnerability chain, detailed by Armadin, allows for arbitrary command execution as root with unrestricted network access. The attack begins by exploiting a DLL sideloading vulnerability within the claude.exe binary. This method satisfies the pipe's identity check by executing code within a legitimately signed Anthropic binary, circumventing the Authenticode signature validation.

Once code execution is achieved within claude.exe, attackers can reverse-engineer the product's RPC protocol. By analyzing service logs, error messages, and employing JSON fuzzing, researchers identified methods to interact with the protocol. The protocol uses a simple framing mechanism of a 4-byte length followed by a JSON payload, exposing various methods including a critical spawn function.

While direct attacks against most sandbox protections failed, the spawn function proved to be the weak point. By manipulating specific parameters, particularly isResume and allowedDomains, attackers could bypass existing user checks and execute commands as any specified user, including root. Sending a JSON payload like {"name": "root", "isResume": true} successfully granted a root shell within the sandbox.

Armadin successfully validated this complete exploit chain against version 1.9255.2.0 of Claude Desktop for Windows. Although Anthropic's threat model may not have prioritized local execution scenarios, this finding highlights the potential for privilege escalation within sandboxed AI agent tools once an initial foothold is established.

The implications of this vulnerability are significant for users of Claude Cowork, as it undermines the security assurances provided by the sandbox environment. It underscores the ongoing challenge of securing complex software stacks, especially those integrating AI capabilities, where subtle interactions between components can lead to unforeseen security weaknesses.

Synthesized by Vypr AI