A newly identified 0-click vulnerability in Claude Desktop Extensions poses a significant security threat to over 10,000 users. Exposed by LayerX, this flaw allows remote code execution through a deceptively simple method, raising concerns about the architecture of Large Language Models (LLMs) and their handling of trust boundaries.
Understanding the Vulnerability
The core of the vulnerability lies in how Claude’s Model Context Protocol (MCP) ecosystem handles data. Unlike modern browser extensions that are securely sandboxed, Claude’s extensions operate with full system privileges. This design flaw allows attackers to execute code without user interaction by exploiting the way AI agents process data from low-trust sources like Google Calendar.
LayerX has flagged this issue with a maximum CVSS score of 10/10, indicating its critical nature. The vulnerability does not require any complex user prompts, making it particularly dangerous. Instead, it relies on the AI’s autonomous decision-making to interpret and execute malicious commands embedded within calendar events.
How the Exploit Works
The attack method, termed the “Ace of Aces” by researchers, involves inviting a target to a calendar event with hidden malicious instructions. When a user asks Claude to manage their calendar events, the AI inadvertently executes the harmful tasks, compromising the system. This process occurs without any explicit confirmation, misleading users into believing they are merely managing their schedules.
This vulnerability is a “workflow failure” rather than a traditional software bug. Claude’s design to autonomously fulfill user requests by chaining tools together lacks the necessary context to distinguish between safe and unsafe data sources.
Implications and Recommendations
LayerX has informed Anthropic, the developers of Claude, about these findings. However, the company has not yet addressed the issue, citing the intended design of MCP autonomy as a reason. Until a solution is implemented, LayerX advises users to disconnect high-privilege extensions from connectors that handle untrusted data sources, such as emails or calendars.
The incident highlights the growing attack surface as AI evolves from simple chatbots to complex system assistants. While AI offers convenience, it also brings significant security risks. Users must remain vigilant and understand the potential dangers of integrating AI into critical systems.
For more on this and other cybersecurity news, follow us on Google News, LinkedIn, and X.
