CVE-2026-22561 — HIGH (CVSS 7.8)

CISO Take

The Claude for Windows installer (versions prior to 1.1.3363) loads DLLs from its own directory after UAC elevation, enabling local privilege escalation if an attacker pre-plants a malicious DLL alongside the installer binary. Update to 1.1.3363+ immediately and audit shared network drives or help desk assets for older installer copies. For enterprise rollouts, distribute exclusively via MDM-managed channels (SCCM/Intune) with verified packages — avoid user-initiated standalone installer execution.

What is the risk?

Moderate-to-high risk in enterprise contexts. Exploitation requires local write access to the directory containing the installer prior to execution — not remotely exploitable in isolation. Risk significantly escalates in environments with shared network installer shares, multi-user developer workstations, or IT workflows where installers are passed to end-users via email or intranet. No CVSS score assigned yet, but local privilege escalation post-UAC elevation typically lands CVSS 7.x (High). No evidence of in-the-wild exploitation; not in CISA KEV.

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 2% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Local

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

What should I do?

1 step

1) Patch: Deploy Claude for Windows 1.1.3363+ via official channels immediately. 2) Quarantine: Identify and remove all pre-1.1.3363 installer binaries from shared drives, intranets, ticketing attachments, and IT asset stores. 3) Deployment hardening: Mandate MDM-controlled distribution (SCCM, Intune) with cryptographic package verification — prohibit user-run standalone installers in corporate environments. 4) Detection: Enable Sysmon EventID 7 (ImageLoad) monitoring for unexpected DLL loads from user-writable directories, particularly during elevated installer processes. 5) Directory ACLs: Restrict write access to locations where AI tool installers are stored to prevent pre-planting of malicious DLLs.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain API Framework AML.T0010.001 - AI Software AML.T0011 - User Execution AML.T0074 - Masquerading

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.8.4 - AI system supply chain management

NIST AI RMF

GOVERN-6.1 - Policies and procedures address AI risks from third-party entities

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-22561?

The Claude for Windows installer (versions prior to 1.1.3363) loads DLLs from its own directory after UAC elevation, enabling local privilege escalation if an attacker pre-plants a malicious DLL alongside the installer binary. Update to 1.1.3363+ immediately and audit shared network drives or help desk assets for older installer copies. For enterprise rollouts, distribute exclusively via MDM-managed channels (SCCM/Intune) with verified packages — avoid user-initiated standalone installer execution.

Is CVE-2026-22561 actively exploited?

No confirmed active exploitation of CVE-2026-22561 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-22561?

1) Patch: Deploy Claude for Windows 1.1.3363+ via official channels immediately. 2) Quarantine: Identify and remove all pre-1.1.3363 installer binaries from shared drives, intranets, ticketing attachments, and IT asset stores. 3) Deployment hardening: Mandate MDM-controlled distribution (SCCM, Intune) with cryptographic package verification — prohibit user-run standalone installers in corporate environments. 4) Detection: Enable Sysmon EventID 7 (ImageLoad) monitoring for unexpected DLL loads from user-writable directories, particularly during elevated installer processes. 5) Directory ACLs: Restrict write access to locations where AI tool installers are stored to prevent pre-planting of malicious DLLs.

What systems are affected by CVE-2026-22561?

This vulnerability affects the following AI/ML architecture patterns: AI desktop clients, Windows developer workstations, Enterprise AI tool deployments, Agent frameworks running on-premise.

What is the CVSS score for CVE-2026-22561?

CVE-2026-22561 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

Uncontrolled search path elements in Anthropic Claude for Windows installer (Claude Setup.exe) versions prior to 1.1.3363 allow local privilege escalation via DLL search-order hijacking. The installer loads DLLs (e.g., profapi.dll) from its own directory after UAC elevation, enabling arbitrary code execution if a malicious DLL is planted alongside the installer.

Exploitation Scenario

An adversary with local user-level access — via a compromised developer workstation, insider threat, or initial access via phishing — places a weaponized profapi.dll in the same directory as Claude Setup.exe staged on a shared network drive or the user's Downloads folder. When an IT administrator or the user runs the installer and approves the UAC prompt, the now-elevated installer process resolves profapi.dll from the local directory before system paths, loading the attacker-controlled library with SYSTEM privileges. This grants the adversary full endpoint control without triggering further UAC prompts, enabling credential dumping, persistence, and lateral movement across the corporate network — particularly dangerous in AI-heavy development environments where Claude is being rolled out to engineering or security teams.