PromptFiction: one click made Claude Desktop execute attacker instructions with no review

On July 15, 2026, Oasis Security disclosed PromptFiction, a Claude Desktop vulnerability in which a crafted claude:// link opened the app and auto-submitted an attacker-written prompt with no send button and no chance for the user to read it. Malicious instructions hid below Claude's 'show more' message fold behind a benign visible request. Chained with Oasis's earlier Claudy Day findings, one click could silently exfiltrate conversation history through Anthropic's Files API, and with the official Filesystem Server installed, plant hidden code-injection instructions that led to remote code execution and shell persistence. Anthropic fixed the flaw in version 1.1.2321; prompts from links now pre-fill and wait for the user to press send.

Anthropic · Incident Jul 15, 2026 · Indexed Jul 17, 2026 · 3 sources

Records by entity: Anthropic

The short version

A single click handed Claude Desktop a hidden prompt it executed immediately: chat history exfiltration on a standard install, code execution where filesystem access was enabled. Anthropic patched it; the human is back in the loop.

The click is the whole attack.
What
On July 15, 2026, Oasis Security disclosed PromptFiction, a Claude Desktop vulnerability in which a crafted claude:// link opened the app and auto-submitted an attacker-written prompt with no send button and no chance for the user to read it.
Incident date
Jul 15, 2026
Who
Anthropic
Failure mode
Prompt Injection
AI surface
Copilot
Severity
Medium

What happened

Claude Desktop registers the claude:// URI scheme, and Oasis found that a link carrying a q parameter would open the app, start a new conversation, and submit the embedded prompt automatically, unlike the web app, which pre-fills and waits for Enter. Attackers could pad the prompt so the malicious portion collapsed below the interface's show-more fold, leaving only a friendly request visible, and could disguise delivery through an open redirect on a trusted claude.com address placed in ads, search results, chats, or documents. On a standard install the injected instructions could gather prior conversations and upload them via the Files API to an attacker's account; with the Filesystem Server enabled, they could plant standing instructions to insert remote-connection code into future scripts the user asked Claude to write, reaching code execution and persistence through shell config files. Oasis reported through Anthropic's Responsible Disclosure Program, credited an independent researcher who found the same flaw, and Anthropic shipped the fix in 1.1.2321.

What broke inside the model

Failure path · mode profile · Prompt Injection
  1. 01 · TriggerThe model reads retrieved or user-supplied text.
  2. 02 · Model stepThat text carries hidden instructions.
  3. 03 · Control gapNothing separates untrusted data from trusted commands.
  4. 04 · FailureThe injected instruction overrides the operator's.
  5. 05 · ConsequenceThe system acts on an outsider's intent.

At the injection point, retrieved text overrides the operator's instruction.

The application trusted the launching context more than it should have: a URI scheme designed for deep-linking delivered attacker-authored text straight into the agent's execution path with no proof a human wrote it or agreed to send it. The assistant did what it is built to do and followed the prompt in front of it. The failure was upstream, in the missing boundary between arrived instructions and approved instructions, compounded by a UI fold that let the visible conversation diverge from the executed one.

Public visibilityHigh
Regulatory exposureNone
Customer impactMany customers
Financial impactUnknown
Time to disclosureDays
  1. PrimaryPromptFiction: a one-click flaw that made Claude Desktop act without consentoasis.security
  2. PressClaude Flaw Automatically Sends Malicious Prompts to AI Agentsdarkreading.com
  3. PressPromptFiction Flaw Auto-Submitted Hidden Prompts in Claude Desktophackread.com
Permalinkhttps://failureindex.ai/failures/promptfiction-claude-desktop-one-click-injection
CitationAI Failure Index. "PromptFiction: one click made Claude Desktop execute attacker instructions with no review" (FI-0723). Realm Labs. https://failureindex.ai/failures/promptfiction-claude-desktop-one-click-injection (indexed Jul 17, 2026).
Share cardA branded image of this record for posts and slides.

Data fields CC-BY 4.0, prose citation permitted. Incident ID FI-0723. Full dataset at /data.

Note from Realm Labs, the Index steward

How Realm would have caught this

Controls for this failure mode
  • Prism
  • OmniGuard

AgentRealm binds agent actions to verified human intent, so instructions that arrive through a side channel rather than a user's deliberate submission carry no execution authority. Prism flags the divergence between the visible conversational context and the full instruction set the model is actually acting on. OmniGuard holds the downstream tells, conversation-history reads feeding an outbound upload, or code writes injecting network calls the user never asked for, and blocks them at the boundary.