What happened
Oasis Security published the PromptFiction finding on July 15, 2026, showing that when chained with the previously disclosed "Claudy Day" trio of flaws, an attacker could achieve silent exfiltration of prior conversation history and — when Anthropic's official Filesystem Server is installed — local file read/write, persistence, and ultimately remote code execution on the victim's machine.
Why it matters
This removes the last human-in-the-loop safeguard (the Send button) from a whole class of prompt-injection attacks against a widely deployed desktop AI agent, and demonstrates a realistic end-to-end path from a single link click to RCE on developer/analyst machines running Claude Desktop with filesystem tool access.
Attack vector
Claude Desktop registers a custom claude:// URI handler that accepts a `q` parameter containing prompt text and auto-submits it to the agent without requiring the user to press Enter/Send, unlike the web app. A single click on a crafted claude:// link (embedded in a webpage, chat message, document, or search result) puts fully attacker-authored instructions in front of the agent for immediate execution, with long-message UI collapsing used to hide the malicious payload beneath a visible, benign-looking request.
Affected systems
Anthropic Claude Desktop application, versions prior to 1.1.2321
Mitigation
Fixed by Anthropic in Claude Desktop version 1.1.2321 via its Responsible Disclosure Program; users should upgrade immediately.