When combined with another exploit, the "PromptFiction" vulnerability, which has been fixed, could have enabled an end-to-end attack on a targeted system.

July 15, 2026

A vulnerability in Anthropic's Claude Desktop application could have allowed attackers to automatically submit malicious prompts to the AI assistant with a single click and without any interaction from a user at all. Anthropic already has fixed the flaw, but it demonstrates the next level of prompt injection attacks that are possible using AI agents.

Researchers from Oasis Security discovered the flaw, dubbed "PromptFiction," which — when combined with a previous trio of flaws they found in Claude, dubbed "Claudy Day" — could have enabled an end-to-end attack on the targeted system, according to a report published Wednesday.

This would facilitate "silent exfiltration of the user's previous conversations and, when Anthropic's official Filesystem Server is installed, read/write access to local files, persistence, and ultimately remote code execution on the victim's machine," Elad Luz, research lead at Oasis, wrote in the report.