The newly disclosed vulnerability in Anthropic’s Claude Desktop application allowed a malicious link to automatically submit attacker-created prompts to the AI assistant without requiring a user to press ‘send’. Combined with previously reported flaws, the issue could have exposed sensitive data, accessed local files, and potentially enabled remote code execution before Anthropic released a fix.
A separate issue affecting Claude for Chrome showed how a rogue browser extension could impersonate user requests and direct Claude to access connected services, including Gmail, Google Drive, and GitHub. The vulnerabilities reveal how attackers can exploit the software surrounding an AI assistant to gain access to connected systems.
Anthropic has addressed the reported vulnerabilities, but the incidents show what can happen when AI assistants are trusted with access to business systems and enterprise data.
Why It Matters: AI assistants are taking on work that once belonged to employees, often operating with the same trusted access people use every day. As organizations connect these tools to internal systems, the focus is no longer limited to the AI model. The way an agent is granted access, the actions it is allowed to perform, and the safeguards surrounding those decisions are becoming central to enterprise AI governance.
- A Single Click Replaced the “Send” Button: PromptFiction exploited Claude Desktop’s custom claude:// protocol, allowing a malicious link to automatically submit an attacker-created prompt after opening Claude. Whether delivered through an email, document, or website, users never had the opportunity to review or approve what was being sent.
- The Attack Was Designed to Go Unnoticed: Attackers could pad the prompt with harmless-looking text that triggered Claude’s message-folding feature, leaving the malicious instructions hidden from view. Unless someone expanded the message, the conversation appeared to contain an ordinary request.
- One Vulnerability Opened the Door for Another: On its own, PromptFiction enabled automatic prompt injection. When paired with the previously disclosed “Claudy Day” vulnerabilities, Oasis Security found it could expose conversation history, access local files, establish persistence, and potentially enable remote code execution.
- The Browser Became Part of the Attack: A separate issue affecting Claude for Chrome showed how a rogue browser extension could impersonate the user and issue commands to Claude. With the right permissions, the assistant could retrieve Gmail messages, access Google Drive files, or send email without the request actually coming from the user. Manifold Security says the underlying trust issue still remains.
- AI Governance Doesn’t Stop With the Model: As AI assistants become embedded in business operations, the focus expands from the model to the trust placed around it. The permissions an agent receives ultimately matters just as much as the intelligence it provides.
Go Deeper -> Claude Flaw Automatically Sends Malicious Prompts to AI Agents – 20DarkReading
Claude for Chrome flaw could let rogue extensions access your Gmail – Malwarebytes
Trusted insights for technology leaders
Our readers are CIOs, CTOs, and senior IT executives who rely on The National CIO Review for smart, curated takes on the trends shaping the enterprise, from GenAI to cybersecurity and beyond.
Subscribe to our 4x a week newsletter to keep up with the insights that matter.


