Vulnerability  ·  2026-07-16

Claude Desktop "PromptFiction" — Zero-Click Prompt Injection via claude:// URI Scheme

VulnerabilityHigh impactGlobal
Oasis Security published the PromptFiction finding on July 15, 2026, showing that when chained with the previously disclosed "Claudy Day" trio of flaws, an attacker could achieve silent exfiltration of prior conversation history and — when Anthropic's official Filesystem Server is installed — local file read/write, persistence, and ultimately remote code execution on the victim's machine.
This removes the last human-in-the-loop safeguard (the Send button) from a whole class of prompt-injection attacks against a widely deployed desktop AI agent, and demonstrates a realistic end-to-end path from a single link click to RCE on developer/analyst machines running Claude Desktop with filesystem tool access.
Claude Desktop registers a custom claude:// URI handler that accepts a `q` parameter containing prompt text and auto-submits it to the agent without requiring the user to press Enter/Send, unlike the web app. A single click on a crafted claude:// link (embedded in a webpage, chat message, document, or search result) puts fully attacker-authored instructions in front of the agent for immediate execution, with long-message UI collapsing used to hide the malicious payload beneath a visible, benign-looking request.
Anthropic Claude Desktop application, versions prior to 1.1.2321
Fixed by Anthropic in Claude Desktop version 1.1.2321 via its Responsible Disclosure Program; users should upgrade immediately.
Dark ReadingOasis Security
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →