Claude Desktop Flaw Let A Single Link Steal Data And Run Code

Oasis Security found that a crafted link could make Claude Desktop run an attacker's instructions with no chance to review them, risking data theft and, in certain configurations, code execution. Anthropic has now patched it.

Published on Jul 15, 2026
Claude Desktop Flaw Let A Single Link Steal Data And Run Code

Prompt-injection defenses assume a person sees and approves the requests they make of an AI agent. New research from Oasis Security has found that a single click on a crafted link could make Claude Desktop accept and run an attacker’s instructions, with no send button and no chance to review them.

The flaw lay in how the app handled links. Claude Desktop registered itself as the handler for a custom link type, the way a “mailto:” link opens your mail app. Oasis found a crafted link would open the app and submit a prepared prompt to the agent automatically.

The web version only pre-filled the box and left the user to send it. On the desktop app, that checkpoint was gone. A display quirk let the researchers hide malicious instructions off-screen, leaving a harmless-looking request in view.

On a default install, Oasis showed the injected prompt could quietly pull a user’s earlier conversations, covering health, finances, or work, and exfiltrate them to an attacker’s account, using a channel from the team’s earlier research on Claude.

The risk grew for users who had installed MCP servers, extensions giving the agent access to the local system. Where a popular file-access server was present, the same click could ultimately run code on the machine, via a dormant instruction that only triggered later when the user themselves asked the agent to write a file.

That reach is what worries John Gallagher, Vice President at Viakoo, who told Expert Insights organizations should treat AI agents as “shadow IT,” privileged software running outside normal oversight.

The risk is sharpest, he warned, on a machine managing operational technology, where a successful compromise “could allow a threat actor to pivot laterally and hijack operational networks.”

Update, and Watch What Agents Do

Anthropic has fixed the issue: prompts delivered through the link scheme now require a manual send, and the company addressed the trick used to disguise the links.

Oasis disclosed through Anthropic’s responsible disclosure program and published after the fix shipped, noting another researcher independently found the same issue.

Randolph Barr, CISO at Cequence Security, called it a case of responsible disclosure working as intended, but told Expert Insights the deeper lesson is that AI agents need a policy layer around them, one that flags an assistant “quietly uploading conversation history to an unfamiliar account.”

His advice for users is “verify, don’t assume”: individual macOS and Windows users are generally covered by auto-updates, but managed enterprise environments should confirm they are on the patched release.

This field is for validation purposes and should be left unchanged.

FREE NEWSLETTER

Cyber Weekly

Get curated cybersecurity news, threats and insights delivered free every Thursday.

Written By Written By
Alessandro Mascellino
Alessandro Mascellino Cybersecurity Reporter

Alessandro Mascellino is a British-Italian freelance journalist specializing in technology and gaming. He has contributed to several publications, including Wired, The Independent, and Android Police. By day, he works as a journalist. By night, he co-manages a game studio that creates narrative games.