PatchSiren cyber security CVE debrief
CVE-2026-22561 Anthropic CVE debrief
CVE-2026-22561 is a Windows installer weakness in Anthropic Claude Setup.exe versions prior to 1.1.3363. The issue is an uncontrolled search path element / DLL search-order hijacking problem: after UAC elevation, the installer can load DLLs from its own directory, so a malicious DLL placed alongside the installer may be executed in a privileged context. The vulnerability is rated medium severity in NVD and is tracked as CWE-427. For defenders, the main concern is local privilege escalation on affected Windows endpoints where an attacker can place files next to the installer and influence execution during setup. The practical mitigation is to move to the fixed release and treat installer files as sensitive artifacts that should not be run from untrusted or writable locations.
- Vendor
- Anthropic
- Product
- CVE-2026-22561
- CVSS
- MEDIUM 4.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-31
- Original CVE updated
- 2026-05-10
- Advisory published
- 2026-03-31
- Advisory updated
- 2026-05-10
Who should care
Windows endpoint defenders, IT admins, software deployment teams, and security responders who distribute or run Anthropic Claude for Windows installers should care most. Any environment where users can download, copy, or launch installers from shared or writable folders is at higher practical risk.
Technical summary
NVD lists this as CWE-427 and marks Anthropic Claude for Windows versions prior to 1.1.3363 as vulnerable. The installer can resolve and load DLLs from its own directory after elevation; a planted DLL such as profapi.dll can be loaded instead of a trusted system copy, creating a local privilege escalation path. The vulnerability requires local access and user interaction, and the published CVSS v4 vector reflects local attack conditions with high impacts to system components.
Defensive priority
Medium priority, but patch promptly if Claude for Windows is installed on endpoints that handle untrusted downloads, shared folders, or local software installation workflows. Because the issue can cross into privileged execution during setup, it should be remediated quickly in standard enterprise patch cycles.
Recommended defensive actions
- Upgrade Anthropic Claude for Windows to version 1.1.3363 or later.
- Remove or quarantine downloaded installers that are kept in writable or shared directories after use.
- Restrict who can place files in directories where privileged installers are executed.
- Review endpoint hardening guidance to reduce DLL side-loading opportunities for elevated processes.
- Check for unexpected DLLs near Claude Setup.exe on systems where the installer was staged or run from nonstandard locations.
- Monitor Windows endpoints for suspicious installer launches or unusual DLL loads during software installation workflows.
Evidence notes
Source corpus states that Anthropic Claude for Windows installer versions prior to 1.1.3363 are vulnerable to DLL search-order hijacking and local privilege escalation. The NVD record classifies the weakness as CWE-427 and provides the version boundary. The CVE was published on 2026-03-31 and modified on 2026-05-10, which are the relevant timing fields for this advisory. A vendor advisory is referenced in the NVD metadata via trust.anthropic.com.
Official resources
-
CVE-2026-22561 CVE record
CVE.org
-
CVE-2026-22561 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
Publicly disclosed in NVD on 2026-03-31 and modified on 2026-05-10. The source corpus cites a vendor advisory from Anthropic via trust.anthropic.com.