Full Report
Office workers without AI experience warned to watch for prompt injection attacks - good luck with that Anthropic's tendency to wave off prompt-injection risks is rearing its head in the company's new Cowork productivity AI, which suffers from a Files API exfiltration attack chain first disclosed last October and acknowledged but not fixed by Anthropic.…
Analysis Summary
# Vulnerability: Prompt Injection Leading to Files API Data Exfiltration in Anthropic Cowork
## CVE Details
- CVE ID: Not explicitly assigned in the text. (Related to previously disclosed issues from October.)
- CVSS Score: Not explicitly provided.
- CWE: Likely related to CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) or specific AI/LLM weaknesses like CWE-1001 (Improper Neutralization of Special Elements in an LLM Prompt leading to Prompt Injection).
## Affected Systems
- Products: Anthropic Cowork productivity AI.
- Versions: Unspecified, affecting the initial release/general availability.
- Configurations: Systems where Cowork has been granted access to local folders containing sensitive information.
## Vulnerability Description
The vulnerability is a **Files API exfiltration attack chain** triggered by **prompt injection**. An attacker can embed a malicious prompt within a document that the user connects to Cowork. When Cowork analyzes this document, the injected prompt executes, tricking the agent into using the Files API to exfiltrate sensitive files (which Cowork has access to) to the attacker's own Anthropic API endpoint. This occurs without requiring additional user approval after the initial configuration access is granted.
## Exploitation
- Status: PoC available (Demonstrated by PromptArmor, building on prior research).
- Complexity: Low (Requires user to connect Cowork and upload/analyze a document containing the injected prompt).
- Attack Vector: Adjacent (Requires the user to initiate the vulnerable process by connecting files and documents).
## Impact
- Confidentiality: High (Sensitive data, PII, financial information can be exfiltrated to an external attacker-controlled account).
- Integrity: Low (The primary impact is data theft, not modification of system integrity).
- Availability: Low (No direct impact on the availability of the Cowork service).
## Remediation
### Patches
- Anthropic plans to ship an update to the Cowork VM **today** (relative to the article date) to improve its interaction with the vulnerable API. Further security improvements are forthcoming.
### Workarounds
- Avoid connecting Cowork to sensitive documents.
- Limit Cowork's Chrome extension usage to only trusted sites.
- Users must actively monitor Cowork for "suspicious actions that may indicate prompt injection."
## Detection
- **Indicators of Compromise:** Unexpected API calls or large data transfers originating from the Cowork agent, or sensitive files appearing in an attacker's Anthropic environment.
- **Detection methods and tools:** Monitoring network traffic related to the Cowork agent's API interactions for unauthorized exfiltration patterns. (The article suggests relying heavily on manual user vigilance.)
## References
- Prior research disclosed in October regarding Claude Code by Johann Rehberger: defanged://embracethered.com/blog/posts/2025/claude-abusing-network-access-and-anthropic-api-for-data-exfiltration/
- PromptArmor disclosure (Implied source of the current report).
- Anthropic Cowork Announcement: defanged://claude.com/blog/cowork-research-preview
- Anthropic Cowork Safety Guide: defanged://support.claude.com/en/articles/13364135-using-cowork-safely