Claude Desktop Extensions: Zero-Click Remote Code Execution

Key Takeaways

• Zero-click remote code execution (RCE) affects Claude Desktop Extensions
• Malicious Google Calendar events can trigger full system compromise
• Vulnerability stems from unsandboxed MCP connectors with full system privileges
• Over 10,000 active users and 50+ extensions impacted

AI Connector Vulnerability Enables Silent System Compromise

LayerX researchers discovered a critical vulnerability in Anthropic’s Claude Desktop Extensions that allows remote code execution without any user click or explicit approval. The issue arises from how the Model Context Protocol (MCP) connectors autonomously chain low-risk inputs to high-risk actions, such as executing local code. When combined with external data like Google Calendar events, this flaw creates a broad trust boundary violation with severe consequences.

What We Know

On February 9, 2026, security analysts at LayerX disclosed a zero-click remote code execution flaw in Claude Desktop Extensions, a set of MCP-based connectors distributed through Anthropic’s extension marketplace. These extensions execute without sandboxing and run with full system privileges, giving them access to local files, credentials, and system commands. This differentiates them from traditional browser extensions that run within restricted environments. (Security Boulevard)

According to the report, attackers can craft a malicious Google Calendar event and then trigger execution by prompting the AI to manage calendar content. Because Claude interprets benign commands like “take care of it” as authorization to act, the model will chain calendar access to a local executor, leading to arbitrary code execution on the host system. (LayerX)

LayerX estimates that more than 10,000 active users and over 50 extensions are affected. Anthropic was notified but reportedly declined to fix the vulnerability at this time, asserting that permissions are defined by user configuration.

How It Happened

This flaw arises from a trust boundary failure in the MCP architecture used by Claude Desktop Extensions. Unlike traditional plugin models, these extensions run unsandboxed with full system access. The AI seamlessly chains together connectors — for example, Google Calendar and a local executor — based on the user’s natural language request. Without enforced guardrails to separate data sources from privileged actions, low-risk inputs can be forwarded into high-privilege execution contexts.

A proof-of-concept exploit uses a Google Calendar event containing simple instructions that, when read by the model in a subsequent prompt, lead directly to execution of malicious code locally — all without explicit user action or interaction.

Why It Matters

This incident exposes a fundamental weakness in how autonomous AI connectors can interact with sensitive system resources. Enterprises increasingly integrate AI workflows with local tools and data, but the assumption that AI will respect security boundaries does not hold when connectors run with full privileges.

Because this is a zero-click vulnerability affecting real user environments, it elevates risk beyond theoretical prompt injection attacks. Threat actors could silently compromise endpoints, steal credentials, or pivot laterally within networks. This undermines traditional security models that rely on user interaction as a control point.

PointGuard AI Perspective

Zero-click RCE in AI connectors highlights why least privilege, policy enforcement, and guardrails must be applied to every AI-to-system interaction. Enterprises should not assume that AI tooling will automatically respect security boundaries, particularly when the underlying connectors operate with elevated privileges.

PointGuard AI helps organizations put structured controls between agents and system resources, ensuring that workflows involving external data sources, scheduling tools, and local execution are governed by explicit policies, not inferred intent. With real-time observability and enforcement, enterprises can reduce the blast radius of AI-enabled exploits and maintain compliance and resilience.

Incident Scorecard Details

Total AISSI Score: 8.4/10

Criticality = 9, Zero-click RCE enables full system compromise, AISSI weighting: 25%
Propagation = 8, Affects thousands of active users and many extensions, AISSI weighting: 20%
Exploitability = 9, Requires no user interaction, easily triggered via calendar event, AISSI weighting: 15%
Supply Chain = 7, Relies on MCP connectors distributed through extension marketplace, AISSI weighting: 15%
Business Impact = 8, High risk to endpoints and enterprise environments, AISSI weighting: 25%

Sources

LayerX disclosure of Claude Desktop Extensions RCE
https://securityboulevard.com/2026/02/flaw-in-anthropic-claude-extensions-can-lead-to-rce-in-google-calendar-layerx/ (Security Boulevard)

CSO Online coverage of critical RCE vulnerability
https://www.csoonline.com/article/4129820/anthropics-dxt-poses-critical-rce-vulnerability-by-running-with-full-system-privileges.html (CSO Online)