Security researchers have uncovered a vulnerability chain in Anthropic’s Claude Cowork Sandbox that allows a local attacker to bypass multiple security protections and execute arbitrary commands as root inside the product’s isolated Linux sandbox.
Although the attack requires local code execution on the host system, the research demonstrates that several built-in security mechanisms can be bypassed, ultimately leading to full administrative control within the sandbox.
How Claude Cowork Protects Its Sandbox
Claude Cowork Sandbox is designed to help users build applications and automate tasks using Claude Code within an isolated environment.
On Windows, the platform runs workloads inside a Hyper-V-based Ubuntu virtual machine protected by several security layers, including:
- Hyper-V isolated Ubuntu VM
- Authenticode-based named pipe authentication
- Bubblewrap sandbox namespaces
- Per-session unprivileged Linux users
- Seccomp filtering
- Domain-restricted outbound network access
These protections are intended to isolate workloads and prevent unauthorized access to the underlying environment.
Researchers Found a Way Around the Protections
According to research published by Armadin, the attack targeted the CoworkVMService, a Local System service responsible for managing communication between Windows and the Ubuntu virtual machine.
The service uses a named pipe and validates that only applications digitally signed by Anthropic can communicate with it.
Researchers attempted to bypass the signature validation but found that the authentication checks correctly rejected forged signatures and invalid trust chains.
Instead, they identified another attack path.
DLL Sideloading Enabled Code Execution
Researchers discovered that claude.exe loads USERENV.dll from its application directory before loading the legitimate Windows system library.
By placing a malicious USERENV.dll alongside the application, they successfully performed DLL sideloading, allowing arbitrary code to execute inside the trusted Anthropic process.
Because the malicious code was running within the signed application, it successfully passed the service’s identity verification.
Root Access Achieved Through RPC Manipulation
After gaining code execution, researchers analyzed the application’s JSON-based RPC protocol used to communicate with the virtual machine.
The protocol exposed several methods, including:
- configure
- startVM
- isGuestConnected
- spawn
While most security controls continued to function correctly, researchers discovered that two parameters—isResume and allowedDomains—were forwarded directly to the sandbox daemon without sufficient validation.
By fuzzing the RPC interface, they reconstructed the parameter structure and identified a logic flaw.
Normally, setting isResume to false creates a new unprivileged Linux user.
However, when isResume was set to true, the existing user validation was skipped entirely.
This allowed researchers to specify any username, including root, and execute commands with root privileges inside the sandbox.
Security Impact
The vulnerability demonstrates that multiple security boundaries can be bypassed once an attacker gains local code execution.
Although Anthropic’s threat model assumes local access is already required, the research highlights how privilege escalation can occur even inside heavily sandboxed AI environments.
Successful exploitation could allow an attacker to:
- Execute commands as root inside the Linux sandbox.
- Bypass intended privilege restrictions.
- Gain unrestricted administrative access within the virtual machine.
- Circumvent multiple sandbox security controls.
The issue was successfully demonstrated against Claude Desktop for Windows version 1.9255.2.0.
As AI-powered development environments continue to evolve, this research serves as a reminder that sandbox implementations should be regularly reviewed to ensure privilege boundaries cannot be bypassed through chained vulnerabilities.