CVE-2026-24052

Claude Code has a Domain Validation Bypass which Allows Automatic Requests to Attacker-Controlled Domains

CVSS 7.1 HIGHEPSS 0.3%CWE-601

In short

Claude Code had a flaw where it checked if a website URL started with a trusted domain name, but didn't check where the domain actually ended. An attacker could register a fake domain like 'modelcontextprotocol.io.example.com' that would pass the check, tricking the tool into automatically sending requests to their server and stealing data.

Technical detail

The vulnerability exists in the trusted domain validation logic for WebFetch requests, which uses a startsWith() comparison instead of proper domain boundary validation. An attacker can register a subdomain or parent domain that begins with a legitimate trusted domain name to bypass validation and trigger automatic requests to attacker-controlled infrastructure, potentially exfiltrating sensitive data without user interaction. The issue is fixed in version 1.0.111.

Summary generated and translated by AI from the official description.

Claude Code is an agentic coding tool. Prior to version 1.0.111, Claude Code contained insufficient URL validation in its trusted domain verification mechanism for WebFetch requests. The application used a startsWith() function to validate trusted domains (e.g., docs.python.org, modelcontextprotocol.io), this could have enabled attackers to register domains like modelcontextprotocol.io.example.com that would pass validation. This could enable automatic requests to attacker-controlled domains without user consent, potentially leading to data exfiltration. This issue has been patched in version 1.0.111.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected products

anthropics · claude-code

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/anthropics/claude-code/security/advisories/GHSA-vhw5-3g5m-8ggf