Zero-Click RCE in Claude Desktop Extensions Endangers 10k+ Users

February 10, 2026 at 07:29 AM

•

1 min read

Zero-Click RCE in Claude Desktop Extensions Endangers 10k+ Users — Photo: CybersecurityNews

TL;DR Summary

Security researchers LayerX revealed a zero-click remote code execution flaw in Claude Desktop Extensions (DXT) that leverages the Model Context Protocol to chain untrusted data from Google Calendar into a privileged local executor. An attacker can trigger the payload via a malicious calendar event with no user interaction, potentially compromising the host with the user’s privileges. The issue affects over 10,000 active Claude users and more than 50 DXT extensions; Anthropic has reportedly not fixed it yet, citing the architecture of MCP autonomy. Mitigations include disconnecting high-privilege local extensions from untrusted data sources and awaiting a patch or architectural changes to MCP. This serves as a warning about the security risks of AI agents autonomously bridging data to local systems.

Topics:technology #claude #cyber-security #desktop-extensions #google-calendar #layerx #rce

Share this article

Claude Desktop Extensions 0-Click RCE Vulnerability Exposes 10,000+ Users to Remote Attacks CybersecurityNews
New Zero-Click Flaw in Claude Desktop Extensions, Anthropic Declines Fix Infosecurity Magazine
Anthropic’s DXT poses “critical RCE vulnerability” by running with full system privileges csoonline.com
0-Click RCE Found in Claude Desktop Extensions, Putting 10,000+ Users at Risk gbhackers.com

Reading Insights

Total Reads

Unique Readers

Time Saved

54 min

vs 55 min read

Condensed

99%

10,946 → 120 words

Want the full story? Read the original article

Read on CybersecurityNews

JavaScript Required

tl;dr daily news requires JavaScript to be enabled. Please enable JavaScript in your browser settings.

Related Sources

Reading Insights