CVE-2026-44467

Name of the Vulnerable Software and Affected Versions Claude Desktop versions 1.2581.0 through 1.4303.0

Description The SSH remote development feature fails to compare the server's presented host key against the stored key, verifying only if the hostname exists in the ~/.ssh/known hosts file. This allows a network-positioned attacker to present an arbitrary SSH host key and have the connection silently accepted, enabling a man-in-the-middle attack on remote development sessions. A man-in-the-middle attack occurs when an attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other. Exploitation requires the attacker to be able to intercept SSH traffic and for the target hostname to already have an entry in the victim's known hosts file.

Recommendations Update to version 1.4304.0.