Main Vulnerability Database Vulnerabilities #VU130446

Improper validation of certificate with host mismatch in Claude Desktop - CVE-2026-44467

Published: May 7, 2026

Vulnerability identifier: #VU130446

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-44467

CWE-ID: CWE-297

Exploitation vector: Adjecent network

Exploit availability: No public exploit available

Vendor: Anthropic

Affected software:
Claude Desktop

Detailed vulnerability description

The vulnerability allows a remote attacker to intercept and modify remote development sessions.

The vulnerability exists due to improper validation of certificate with host mismatch in the SSH remote development feature when establishing SSH connections to known hosts. A remote attacker can present an arbitrary SSH host key to intercept and modify remote development sessions.

Exploitation requires the attacker to be in a network position to intercept SSH traffic, and the target hostname must already have an entry in the victim's known_hosts file.

How to mitigate CVE-2026-44467

Install security update from vendor's website.

Sources

https://github.com/anthropics/claude-code/security/advisories/GHSA-3rwf-2g6p-c2f9

Improper validation of certificate with host mismatch in Claude Desktop - CVE-2026-44467

Detailed vulnerability description

How to mitigate CVE-2026-44467

Sources

Please verify you're human