CVE-2026-22561: Claude Setup: DLL search-order hijacking LPE
HIGHThe Claude for Windows installer (versions prior to 1.1.3363) loads DLLs from its own directory after UAC elevation, enabling local privilege escalation if an attacker pre-plants a malicious DLL alongside the installer binary. Update to 1.1.3363+ immediately and audit shared network drives or help desk assets for older installer copies. For enterprise rollouts, distribute exclusively via MDM-managed channels (SCCM/Intune) with verified packages — avoid user-initiated standalone installer execution.
What is the risk?
Moderate-to-high risk in enterprise contexts. Exploitation requires local write access to the directory containing the installer prior to execution — not remotely exploitable in isolation. Risk significantly escalates in environments with shared network installer shares, multi-user developer workstations, or IT workflows where installers are passed to end-users via email or intranet. No CVSS score assigned yet, but local privilege escalation post-UAC elevation typically lands CVSS 7.x (High). No evidence of in-the-wild exploitation; not in CISA KEV.
How severe is it?
What is the attack surface?
What should I do?
1 step-
1) Patch: Deploy Claude for Windows 1.1.3363+ via official channels immediately. 2) Quarantine: Identify and remove all pre-1.1.3363 installer binaries from shared drives, intranets, ticketing attachments, and IT asset stores. 3) Deployment hardening: Mandate MDM-controlled distribution (SCCM, Intune) with cryptographic package verification — prohibit user-run standalone installers in corporate environments. 4) Detection: Enable Sysmon EventID 7 (ImageLoad) monitoring for unexpected DLL loads from user-writable directories, particularly during elevated installer processes. 5) Directory ACLs: Restrict write access to locations where AI tool installers are stored to prevent pre-planting of malicious DLLs.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-22561?
The Claude for Windows installer (versions prior to 1.1.3363) loads DLLs from its own directory after UAC elevation, enabling local privilege escalation if an attacker pre-plants a malicious DLL alongside the installer binary. Update to 1.1.3363+ immediately and audit shared network drives or help desk assets for older installer copies. For enterprise rollouts, distribute exclusively via MDM-managed channels (SCCM/Intune) with verified packages — avoid user-initiated standalone installer execution.
Is CVE-2026-22561 actively exploited?
No confirmed active exploitation of CVE-2026-22561 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-22561?
1) Patch: Deploy Claude for Windows 1.1.3363+ via official channels immediately. 2) Quarantine: Identify and remove all pre-1.1.3363 installer binaries from shared drives, intranets, ticketing attachments, and IT asset stores. 3) Deployment hardening: Mandate MDM-controlled distribution (SCCM, Intune) with cryptographic package verification — prohibit user-run standalone installers in corporate environments. 4) Detection: Enable Sysmon EventID 7 (ImageLoad) monitoring for unexpected DLL loads from user-writable directories, particularly during elevated installer processes. 5) Directory ACLs: Restrict write access to locations where AI tool installers are stored to prevent pre-planting of malicious DLLs.
What systems are affected by CVE-2026-22561?
This vulnerability affects the following AI/ML architecture patterns: AI desktop clients, Windows developer workstations, Enterprise AI tool deployments, Agent frameworks running on-premise.
What is the CVSS score for CVE-2026-22561?
CVE-2026-22561 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.18%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0011 User Execution AML.T0074 Masquerading Compliance Controls Affected
What are the technical details?
Original Advisory
Uncontrolled search path elements in Anthropic Claude for Windows installer (Claude Setup.exe) versions prior to 1.1.3363 allow local privilege escalation via DLL search-order hijacking. The installer loads DLLs (e.g., profapi.dll) from its own directory after UAC elevation, enabling arbitrary code execution if a malicious DLL is planted alongside the installer.
Exploitation Scenario
An adversary with local user-level access — via a compromised developer workstation, insider threat, or initial access via phishing — places a weaponized profapi.dll in the same directory as Claude Setup.exe staged on a shared network drive or the user's Downloads folder. When an IT administrator or the user runs the installer and approves the UAC prompt, the now-elevated installer process resolves profapi.dll from the local directory before system paths, loading the attacker-controlled library with SYSTEM privileges. This grants the adversary full endpoint control without triggering further UAC prompts, enabling credential dumping, persistence, and lateral movement across the corporate network — particularly dangerous in AI-heavy development environments where Claude is being rolled out to engineering or security teams.
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H References
Timeline
Related Vulnerabilities
CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same attack type: Supply Chain CVE-2024-2912 10.0 BentoML: RCE via insecure deserialization (CVSS 10)
Same attack type: Supply Chain CVE-2023-3765 10.0 MLflow: path traversal allows arbitrary file read
Same attack type: Supply Chain CVE-2025-5120 10.0 smolagents: sandbox escape enables unauthenticated RCE
Same attack type: Supply Chain CVE-2026-21858 10.0 n8n: Input Validation flaw enables exploitation
Same attack type: Code Execution