New Zero-Click Flaw in Claude Extensions, Anthropic Declines Fix
New Zero-Click Flaw in Claude Extensions, Anthropic Declines Fix
https://www.infosecurity-magazine.com/news/zeroclick-flaw-claude-dxt/
Publish Date: 2026-02-09 12:30:00
Source Domain: www.infosecurity-magazine.com
A single Google Calendar event can silently compromise a system running Claude Desktop Extensions, according to security researchers at browser security provider LayerX.
In a new report published on February 9, LayerX, disclosed a new critical vulnerability affecting 50 Claude Desktop Extensions (DXT).
If exploited this flaw allows an attacker to perform remote code executions (RCE) on a system running a vulnerable extension, without needing for the victim to click on anything.
This issue was allocated a maximum-severity rating (CVSS of 10.0) and could impact over 10,000 active Claude DXT users.
Roy Paz, principal security researcher at LayerX, said his team reported the vulnerability to Anthropic, the company behind the Claude large language model (LLM)and associated services, including Claude DTX. However, Anthropic “decided not to fix it at this time,” Paz added
Claude DXT: Full Privileges on the Host System
Claude Desktop Extensions are different from traditional browser extensions. Like a typical Chrome browser extension, a Claude DXT offers a one-click installation process.
While a Chrome extension is a simple browser add-on comprising .crx packages, Claude DXT are Model Context Protocol (MCP) servers packaged and distributed through Anthropic’s extension marketplace. Each DXT is made up of a .mcpb bundle, which Paz likened to a .zip archive file, that includes the MCP server implementation code as well as a manifest defining the extension’s exposed functions.
The differences go even further in the authorizations granted to Claude DXT. While Chrome extensions run inside a tightly sandboxed browser environment and don’t have direct system access, Claude DXT execute without sandboxing and with full privileges on the host system, LayerX’s Paz noted.
As a result, Claud DXT can perform sensitive commands, such as:
- Read arbitrary files
- Execute system commands
- Access stored credentials
- Modify operating system settings
