Flaw in Anthropic Claude Extensions Can Lead to RCE in Google Calendar: LayerX
Researchers with cybersecurity firm Miggo last month wrote about a vulnerability in Google’s Gemini AI model that could let bad actors abuse Google Calendar invites to access and leak private data, an example of the inability of traditional security measures to keep pace with threats posed by AI.
LayerX researchers today wrote about a similar flaw in Anthropic’s Claude Desktop Extensions (DXT) that they said impacts more than 10,000 active users and 50 DXT extensions and reflects the risks that come with AI models that have full system privileges.
Under the right conditions, a calendar event can become a zero-click remote code execution (RCE) vulnerability that the user won’t see until after the compromise.
“Unlike traditional browser extensions, Claude Desktop Extensions run unsandboxed with full system privileges,” Roy Paz, principal security researcher with LayerX, wrote in a report. “As a result, Claude can autonomously chain low-risk connectors (e.g., Google Calendar) to high-risk local executors, without user awareness or consent. If exploited by a bad actor, even a benign prompt (‘take care of it’), coupled with a maliciously worded calendar event, is sufficient to trigger arbitrary local code execution that compromises the entire system.”
Automating Calendar Tasks
At their core, Claude Desktop Extensions are MCP servers put together and distributed through Anthropic’s extension marketplace and come as a zip archive that includes the MCP server implementation code and a definition of the extension’s exposed functions, Paz wrote. They connect the Claude Desktop app to local files, applications, and system resources via MCP to automate tasks.
In this case, that can include automating reading and sending messages, accessing filesystems, or controlling software, which can be dangerous if a user decides to let an AI model like Claude manage their online calendars.
Not Passive Extensions
Users may see the extensions as similar to browser add-ons, like Chrome .crx packages, installed with a single click. However, Chrome extensions run inside a sandboxed browser environment without direct system access. Claude Desktop Extensions are different. They execute without sandboxing and with the full privileges on the host system.
Given that, they can access sensitive system resources and perform activities like reading arbitrary files, executing system commands, accessing stored credentials, and modifying system settings.
“These extensions are not passive plugins,” Paz wrote. “They function as privileged execution bridges between Claude’s language model and the local operating system.”
Safeguards Needed
The issue comes down to how Claude processes input from Google Calendar and similar public-facing connectors, he wrote. The model will respond to a user prompt by determining which installed MCP connects to use and how to chain them together to address the request.
“The problem arises when autonomous decision-making results in an unsafe execution path,” he wrote. “There are no hardcoded safeguards that prevent Claude from constructing a malformed or dangerous workflow. Consequently, data extracted from a relatively low-risk connector (Google Calendar) can be forwarded directly into a local MCP server with code-execution capabilities.”
Actions like automatically transferring calendar data to a privileged local executor like Claude should come with user consent. However, in this scenario, it doesn’t.
RCE Threat in a Generic Calendar Event
In their work, LayerX’s researchers looked for a generic Google Calendar event that could trigger code execution in MCP without an explicit request to automate the work and without having to use obfuscation, hidden instructions, or adversarial prompt engineering. They settled on the user prompt, “Please check my latest events in Google Calendar and then take care of it for me.”
“A human assistant would reasonably interpret this as a request to manage scheduling conflicts or protect availability,” Paz wrote. “Claude, however, inferred something far more powerful. It is assumed that ‘taking care of it’ justified executing local code via an MCP extension. This assumption is the critical failure.”
To exploit the vulnerability, they labeled a calendar event as “Task Management,” then instructed the AI to run a git pull from GitHub, save it to C:\Test\Code, and run the “make” file to complete the process. This resulted in a full RCE, he wrote.
The vulnerability “creates system-wide trust boundary violations in LLM-driven workflows, resulting in a broad, unresolved attack surface that makes MCP connectors unsafe for security-sensitive systems,” Paz wrote.
Permissions are a User’s Decision
He noted that Anthropic was notified of the vulnerability, but decided not to address it. In an email to Security Boulevard, an Anthropic spokesperson wrote that Claude Desktop’s MCP integration is a local development tool, and users can explicitly configure and grant permissions to servers they opt to run.
“To be clear, the situation described in the post requires a targeted user to have intentionally installed these tools and granted permission to run them without prompts,” the spokesperson wrote. “We recommend that users exercise the same caution when installing MCP servers as they do when installing third-party software.”
They added that “since users maintain full control over which MCP servers they enable and the permissions those servers have, the security boundary is defined by the user’s configuration choices and their system’s existing security controls.”
Risks that Come with MCP Servers
MCP servers play a critical role in enabling AI models and agents to access external data pools and applications to independently complete their work, but they also open up a host of security concerns. According to Red Hat, such concerns focus on such areas as authentication and authorization, supply chains, unauthorized command execution, and prompt and tool injection.
“MCP has sparked interest in manipulating tools using natural language and in better understanding how we communicate users, LLMs and tools,” Florencio Cano Gabarda, principal product security engineer for AI security and safety at the IBM-owned company, wrote in a blog post last year. “However, we must acknowledge the security risks that come with this increase in automation and additional AI agency.”
‘A Non-Trivial Attack Surface’
LayerX’s Paz, writing about the latest flaw, wrote that “until this class of vulnerabilities is fully addressed, MCP connectors represent a non-trivial attack surface. The automatic bridging of benign data sources into privileged execution contexts is fundamentally unsafe and easily exploitable.”
Organizations shouldn’t use MCP connectors on systems where security is important until safeguards are developed, he added.
