CVE-2026-22561
Published: 31 March 2026
Summary
CVE-2026-22561 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Anthropic Claude. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique DLL Search Order Hijacking (T1038); ranked at the 1.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as APIs and Models.
The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely flaw remediation through updating the Claude Setup.exe installer to version 1.1.3363 or later, which resolves the DLL search-order hijacking.
Prevents execution of malicious DLLs like a planted profapi.dll by requiring digital signatures for software components prior to installation and execution.
Mitigates DLL search-order hijacking by enforcing secure configuration settings such as Safe DLL Search Mode, which prioritizes system directories before the installer's current directory.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Explicit DLL search-order hijacking (CWE-427) in Windows installer enables planting malicious DLL for local privilege escalation after UAC elevation.
NVD Description
Uncontrolled search path elements in Anthropic Claude for Windows installer (Claude Setup.exe) versions prior to 1.1.3363 allow local privilege escalation via DLL search-order hijacking. The installer loads DLLs (e.g., profapi.dll) from its own directory after UAC elevation, enabling arbitrary code…
more
execution if a malicious DLL is planted alongside the installer.
Deeper analysisAI
CVE-2026-22561 is a vulnerability involving uncontrolled search path elements in the Anthropic Claude for Windows installer, specifically Claude Setup.exe versions prior to 1.1.3363. It enables local privilege escalation through DLL search-order hijacking, classified under CWE-427. The installer loads certain DLLs, such as profapi.dll, from its own directory after User Account Control (UAC) elevation, which can be exploited if a malicious DLL is placed alongside the executable.
A local attacker can exploit this vulnerability by planting a malicious DLL in the same directory as the installer executable. Exploitation requires the victim to run the installer, which prompts for UAC elevation and user interaction (UI:R), granting local access (AV:L) with no prior privileges (PR:N) and low complexity (AC:L). Successful hijacking allows arbitrary code execution with elevated privileges, resulting in high confidentiality, integrity, and availability impacts (CVSS 7.8).
Anthropic has published an advisory with details on the vulnerability at https://trust.anthropic.com/resources?s=1cvig6ldp3zvuj1yffzr11&name=cve-2026-22561-dll-search-order-hijacking-in-claude-for-windows-installer. The issue affects versions prior to 1.1.3363, indicating that updating to 1.1.3363 or later resolves the vulnerability.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: claude, claude