[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f6IOUdnteomjzbaEynvHlva1FaTbi9kWF-P0N9Zn9y_Y":3},{"article":4,"iocs":53},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":32,"category":33,"article_tags":37},"f1e0d826-39c8-4aa7-ad9f-47a6fd279e22","PromptFiction Flaw Auto-Submitted Hidden Prompts in Claude Desktop","promptfiction-flaw-auto-submitted-hidden-prompts-in-claude-desktop-a3062f","A one-click Claude Desktop flaw allowed attackers to submit concealed instructions without review, exposing chats and enabling code execution on some systems remotely.","A vulnerability in Claude Desktop's claude:\u002F\u002F URI scheme handler allowed attackers to submit concealed prompts automatically when users clicked crafted links, bypassing the confirmation screen present in the web version. By hiding malicious instructions below collapsed text in long messages, attackers could exfiltrate previous conversations, expose sensitive chat history, or execute code on systems with local file access through MCP servers. Anthropic patched the flaw after responsible disclosure by Oasis Security.","PromptFiction flaw in Claude Desktop auto-submitted hidden prompts via crafted links without user review.","Security Artificial IntelligencePromptFiction Flaw Auto-Submitted Hidden Prompts in Claude Desktop A one-click Claude Desktop flaw allowed attackers to submit concealed instructions without review, exposing chats and enabling code execution on some systems remotely. byWaqasJuly 15, 20264 minute read Listen to this article 0:00 — ← 10s ▶ Play 10s → Speed 0.75× 1× 1.25× 1.5× 2× Voice Loading voices… Press play to start listening A single click on a crafted link could cause Claude Desktop to execute attacker-written instructions without prompting the user to review or send the prompt, according to new research from Oasis Security. The vulnerability, named PromptFiction, affected Anthropic’s Claude Desktop application and used its custom claude:\u002F\u002F URL scheme. For context, a malicious link could open the app, submit a prepared prompt automatically, and instruct the AI agent to access sensitive information or perform actions through connected tools. Anthropic fixed the flaw after it was reported through the company’s Responsible Disclosure Program. However, before the correction, clicking a crafted link was enough to submit the prompt, with no confirmation screen or opportunity to inspect the instructions before Claude processed them. A desktop link became an automatic command Claude Desktop registers itself as a handler for the claude:\u002F\u002F URI scheme when installed. Custom URI schemes allow websites and other applications to open desktop software, much like links used for email clients, video meetings, and messaging apps. In a report shared with Hackread.com ahead of publication on Tuesday, Oasis Security researchers said Claude Desktop accepted a q parameter containing prompt text. A link such as claude:\u002F\u002Fclaude.ai\u002Fnew?q=tell me a joke opened a new conversation and automatically submitted the request. Claude’s web application handled the same type of link differently. There, the prompt could appear in the chat box, but nothing happened until the user reviewed it and pressed Enter. Claude Desktop skipped that final approval step. With control over the text inside the URL, an attacker could send instructions directly to the AI agent through links in messages, documents, browser pages, or search results. Long prompts helped conceal malicious instructions Attackers could make the submitted message appear harmless by placing a friendly request at the beginning and moving malicious instructions farther down. Claude’s interface collapses long messages behind a “show more” option. By adding numerous encoded line breaks after the visible request, an attacker could place the harmful section below the collapsed portion of the message. A user might see a request asking Claude to generate ASCII art, while Claude received a complete prompt containing instructions to collect previous conversations, upload information, or preserve hidden commands for later tasks. Since the prompt had already been submitted, the user had little reason to open and inspect the collapsed text. Previous Claude conversations could be uploaded to an attacker On a standard Claude Desktop installation, PromptFiction could be combined with an earlier technique documented by Oasis to extract information from previous conversations. The injected instructions could direct Claude to retrieve sensitive chat content, save it as a file, and upload it through Anthropic’s Files API using credentials supplied by the attacker. The uploaded material would then appear in the attacker’s Anthropic account. This route did not require an MCP server, third-party integration, or local file access. According to Oasis, conversation history and stored context could expose information involving work, source code, finances, health, relationships, or internal company activity. Filesystem access could extend the attack to code execution The impact increased when Claude Desktop had access to local files through an MCP server. Oasis examined Anthropic’s Filesystem Server, which allows Claude to read and write files within approved directories. An injected prompt could ask Claude to display harmless ASCII art while leaving a hidden instruction to add remote debugging code whenever it later created or modified Python or JavaScript files. When the user later asked Claude to create or modify an ordinary script, the agent could follow both the legitimate request and the attacker’s earlier instruction. Any filesystem permission request would appear consistent with the task because the user had initiated the file operation. The hidden prompt framed the added code as a pre-approved remote debugging feature and instructed Claude not to mention it again. As a result, Claude could insert attacker-controlled connection code near the beginning of the requested file without explaining the addition. When the user ran the program during normal development work, the injected code could connect to an attacker-controlled system. Oasis also described a persistence method involving shell configuration files such as .zshrc or .bashrc when those locations were accessible through the filesystem integration. Trusted-looking links could be used for delivery Oasis said the link could be concealed through a delivery method previously documented in its Claudy Day research. Researchers described using an open redirect on the claude.com domain to hide the underlying claude:\u002F\u002F destination. The resulting link could appear to use a trusted Claude address while redirecting the operating system to Claude Desktop. According to Oasis, attackers could place the disguised links in Google Search or Gmail ads aimed at selected users. Clicking one would open Claude Desktop and automatically submit the prepared prompt. Anthropic has since addressed this delivery method. Anthropic changed Claude Desktop’s link behavior Following the fix, prompts delivered through the claude:\u002F\u002F scheme are pre-filled but require the user to review and send them. Oasis said the change shipped with Claude Desktop version 1.1.2321, and users running an earlier release should update to that version or a newer build. The report was submitted through Anthropic’s Responsible Disclosure Program and published in coordination with the company. Oasis also acknowledged that another researcher independently reported the vulnerability and made no claim to sole discovery. Waqas I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism. View Posts AIAnthropicClaudeCybersecurityOasis SecurityPromptFictionsecurityVulnerability Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security Dark web hacker selling admin access to a Chinese railway company The IT security researchers at Sixgill‘s threat intelligence team have identified an “experienced threat actor” on the dark… byWaqas Read More Security NATO Probes Hackers Selling Data from Top Missile Firm MBDA A cybercrime gang is selling classified data apparently stolen from European firm MBDA Missile Systems. For your information, MBDA is… byWaqas Read More Security New Detection Method Uses Hackers’ Own Jitter Patterns Against Them A new detection method from Varonis Threat Labs turns hackers' sneaky random patterns into a way to catch hidden cyberattacks. Learn about Jitter-Trap and how it boosts cybersecurity defenses. byDeeba Ahmed Read More Security Vulnerability in Web Codes causes Data Dumping onto Personal Computers Caution: Weakness of Web Codes causes Data Dumping onto Personal Computers A web developer has revealed that by… byWaqas","https:\u002F\u002Fhackread.com\u002Fpromptfiction-flaw-auto-prompts-claude-desktop\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F07\u002Fpromptfiction-flaw-auto-prompts-claude-desktop.jpg","2026-07-15T12:29:42+00:00","2026-07-15T14:00:27.450595+00:00",8,[18,21,24,26,29],{"name":19,"type":20},"Claude Desktop","product",{"name":22,"type":23},"Anthropic","vendor",{"name":25,"type":23},"Oasis Security",{"name":27,"type":28},"MCP (Model Context Protocol) Server","technology",{"name":30,"type":31},"PromptFiction","campaign","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":32,"icon":34,"name":35,"slug":36},null,"Vulnerabilities","vulnerabilities",[38,43,48],{"category":39},{"id":40,"icon":34,"name":41,"slug":42},"2c8f44d4-b56e-47cf-9677-04f22c9ee78d","Identity & Access","identity-access",{"category":44},{"id":45,"icon":34,"name":46,"slug":47},"574f766a-fb3f-487c-8d2c-0720ae75471b","Zero-day","zero-day",{"category":49},{"id":50,"icon":34,"name":51,"slug":52},"839da5c1-3c34-47e2-9499-f7201640e3ac","AI Security","ai-security",[]]