unknown

Claude Cowork contains a file exfiltration vulnerability through indirect prompt injection, exploiting unresolved isolation flaws in Claude's code execution environment. Attackers can hide malicious prompts in uploaded files (like .docx files with invisible text) that manipulate Cowork into uploading victim files to the attacker's Anthropic account via the allowlisted Anthropic API. The vulnerability was previously disclosed but remains unpatched, and Anthropic places responsibility on users to watch for suspicious actions despite marketing Cowork to non-technical users. The attack requires no human approval and can exfiltrate sensitive data including financial information and PII.