Claude AI Desktop App Exposes Peer Metadata and Messages via Insecure SQLite Permissions

A critical security misconfiguration in the Claude desktop application exposes user data to any other user on the same machine. The application creates an SQLite database file, `~/.claude-peers.db`, with insecure default file permissions, allowing any local user account to read its contents. This database contains peer metadata and message history, creating a significant privacy breach on shared or multi-user systems.

The vulnerability, classified as CWE-732 (Incorrect Permission Assignment for Critical Resource) and falling under OWASP's Broken Access Control category, stems from the application using the system's default umask when creating the database. This typically results in a file permission mode of 0644, making the file world-readable. The exposure is not limited to the main database file; associated Write-Ahead Logging (WAL) and Shared Memory (SHM) journal files are also created with the same insecure permissions, potentially leaking data in real-time.

The required fix is straightforward but essential: the application must explicitly set the database file permissions to mode 0600 immediately after creation, ensuring only the file's owner can read or write to it. This change must be applied consistently to the main database and all associated journal files to fully close the local privilege escalation and data exfiltration vector. The persistence of this flaw in a consumer-facing AI application highlights a basic but dangerous oversight in secure software deployment practices for desktop environments.