Vulnerability in Anthropic’s Claude Code Shows Up in Cowork
None
<p>Anthropic earlier this week released the research preview of Claude Cowork, an AI agent aimed at non-developers to help them with their everyday work by automating many of the tasks they typically would have to do themselves.</p><p>In announcing the agent, the AI company used as an example a worker giving Cowork access to their computer and having it pull a folder. Through that, Anthropic’s <a href="https://securityboulevard.com/2025/09/anthropic-report-shows-bad-actors-abusing-claude-in-attacks/" target="_blank" rel="noopener">Claude AI model</a> can read, edit, or create files in the folder, reorganize downloads, create a new spreadsheet from data in the folder, and perform other jobs.</p><p>“In Cowork, Claude completes work like this with much more agency than you’d see in a regular conversation,” Anthropic executives <a href="https://claude.com/blog/cowork-research-preview" target="_blank" rel="noopener">wrote</a> when announcing Cowork. “Once you’ve set it a task, Claude will make a plan and steadily complete it, while looping you in on what it’s up to.”</p><p>It’s got many of the same capabilities as the company’s Claude Code for developers, and is a timesaver for employees. However, like most AI models and agents, Cowork is <a href="https://securityboulevard.com/2026/01/report-massive-amounts-of-sensitive-data-being-shared-with-genai-tools/" target="_blank" rel="noopener">vulnerable to security risks</a> like prompt injections, when a bad actor manipulates inputs to override guardrails and instructions to exfiltrate sensitive data or launch unauthorized actions.</p><h3>New Tool, Same Flaw</h3><p>According to researchers with AI security firm PromptArmor, a vulnerability <a href="https://embracethered.com/blog/posts/2025/claude-abusing-network-access-and-anthropic-api-for-data-exfiltration/" target="_blank" rel="noopener">first detected</a> in Claude Code in October 2025 is also present in Cowork, exposing it to the same indirect prompt injections threat as in Claude Code. PromptArmor researchers noted in their <a href="https://www.promptarmor.com/resources/claude-cowork-exfiltrates-files" target="_blank" rel="noopener">report this week</a> that the security flaw in <a href="https://securityboulevard.com/2025/11/anthropic-claude-ai-used-by-chinese-back-hackers-in-spy-campaign/" target="_blank" rel="noopener">Claude Code</a> was “acknowledged but not remediated by Anthropic.”</p><p>“As Anthropic has acknowledged this risk and put it on users to ‘avoid granting access to local files with sensitive information’ (while simultaneously encouraging the use of Cowork to organize your Desktop), we have chosen to publicly disclose this demonstration of a threat users should be aware of,” they wrote. “By raising awareness, we hope to enable users to better identify the types of ‘suspicious actions’ mentioned in Anthropic’s warning.”</p><p>By exploiting the vulnerability, threat actors can use malicious prompts to get Cowork to upload files containing sensitive data to the criminal’s Anthropic account. The attack starts when a target connects Cowork to a local folder that contains confidential files. The victim then uploads a file to Claude that includes a hidden prompt injection and has Cowork to analyze the file.</p><p>“The injection tells Claude to use a ‘curl’ command to make a request to the Anthropic file upload API with the largest available file,” the researchers wrote. “The injection then provides the attacker’s API key, so the file will be uploaded to the attacker’s account. … Code executed by Claude is run in a VM – restricting outbound network requests to almost all domains – but the Anthropic API flies under the radar as trusted, allowing this attack to complete successfully.”</p><h3>A Dangerous Threat</h3><p>With the victim’s file their account, the threat actor can chat with it, they added, noting that what makes the threat particularly dangerous is that Cowork can interact with a user’s work environment, including the system’s browsers and Model Context Protocol (MCP) servers, giving the agent the ability to send texts, control a Mac with AppleScripts, and other capabilities.</p><p>“These functionalities make it increasingly likely that the model will process both sensitive and untrusted data sources (which the user does not review manually for injections), making prompt injection an ever-growing attack surface,” the researchers wrote.</p><p>In pitching Cowork, Anthropic executives wrote that the agent was designed to simplify work by reducing the number of manual jobs and automate tasks that can run in parallel in Claude with whatever else the user is doing.</p><p>“If you’ve used Claude Code, this will feel familiar – Cowork is built on the very same foundations,” they wrote. “This means Cowork can take on many of the same tasks that Claude Code can handle, but in a more approachable form for non-coding tasks.”</p><p>It’s available now as a research preview for Claude Max subscribers on Anthropic’s macOS app and the vendor wrote that “we will improve it rapidly from here.”</p><h3>It’s Up to the User</h3><p>They also put much of the responsibility of securely using Cowork on users, noting that through the agent, workers can choose which folders and connectors Claude can see and which they can’t. Anthropic also warned users about the risk of prompts injections through content on the internet and wrote that agent safety “is still an active area of development in the industry.”</p><p>On a <a href="https://support.claude.com/en/articles/13364135-using-cowork-safely" target="_blank" rel="noopener">support page</a>, the vendor warns users about granting access to local files with sensitive information, limiting access to trusted sites when using Claude in Chrome extension, only give internet access to trusted sites when using Claude’s default internet access settings, and “monitor Claude for suspicious actions that may indicate prompt injection.”</p><p>However, the PromptArmor researchers noted that the agent is aimed at non-technical users who shouldn’t be expected to be able to detect actions that could indicate a prompt injection attack.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/01/vulnerability-in-anthropics-claude-code-shows-up-in-cowork/" data-a2a-title="Vulnerability in Anthropic’s Claude Code Shows Up in Cowork"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fvulnerability-in-anthropics-claude-code-shows-up-in-cowork%2F&linkname=Vulnerability%20in%20Anthropic%E2%80%99s%20Claude%20Code%20Shows%20Up%20in%20Cowork" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fvulnerability-in-anthropics-claude-code-shows-up-in-cowork%2F&linkname=Vulnerability%20in%20Anthropic%E2%80%99s%20Claude%20Code%20Shows%20Up%20in%20Cowork" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fvulnerability-in-anthropics-claude-code-shows-up-in-cowork%2F&linkname=Vulnerability%20in%20Anthropic%E2%80%99s%20Claude%20Code%20Shows%20Up%20in%20Cowork" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fvulnerability-in-anthropics-claude-code-shows-up-in-cowork%2F&linkname=Vulnerability%20in%20Anthropic%E2%80%99s%20Claude%20Code%20Shows%20Up%20in%20Cowork" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fvulnerability-in-anthropics-claude-code-shows-up-in-cowork%2F&linkname=Vulnerability%20in%20Anthropic%E2%80%99s%20Claude%20Code%20Shows%20Up%20in%20Cowork" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>