Exploiting Root Execution in Claude Cowork's Sandbox
The article describes a security research finding where the author discovered that in Claude Cowork's sandboxed environment, commands could be executed with root privileges, bypassing expected restrictions. The researcher demonstrated this by running a command as root, highlighting a potential sandbox escape vulnerability in the system's isolation mechanisms.
Background
- Claude Cowork is an AI-powered coding assistant by Anthropic that runs untrusted user code inside a "sandbox" — a restricted Linux environment meant to prevent malicious operations.
- This blog post (by Armada, a security research group) details a vulnerability they found: the sandbox allowed applications to run as the `root` user (the superuser with full system privileges), defeating the purpose of containment.
- By exploiting root access, the researchers were able to escape the sandbox entirely, exfiltrate files, and execute arbitrary commands on the underlying host — meaning a user's malicious code could compromise the broader system.
- The exploit was responsibly disclosed to Anthropic, which has since patched the issue. The post serves as both a technical writeup and a reminder of the difficulty of securely sandboxing AI agents that need to run arbitrary code.