Cyber Resilience

CVE-2026-24052

High

Published: 03 February 2026

Published
03 February 2026
Modified
06 February 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0002 4.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24052 is a high-severity Open Redirect (CWE-601) vulnerability in Anthropic Claude Code. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exfiltration Over C2 Channel (T1041); ranked at the 4.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-24052 affects Claude Code, an agentic coding tool from Anthropic, in versions prior to 1.0.111. The vulnerability stems from insufficient URL validation in the trusted domain verification mechanism for WebFetch requests. Specifically, the application relied on a startsWith() function to check trusted domains such as docs.python.org and modelcontextprotocol.io, which allowed attacker-controlled domains like modelcontextprotocol.io.example.com to pass validation.

Remote attackers require no privileges but need user interaction to exploit this issue, as indicated by its CVSS score of 7.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N). By registering a domain that mimics a trusted one via prefix matching, an attacker could trick Claude Code into issuing automatic WebFetch requests to their controlled server without user consent, enabling potential data exfiltration from the user's environment.

The issue, classified under CWE-601 (URL Redirection to Untrusted Site), has been addressed in Claude Code version 1.0.111. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub Security Advisory at https://github.com/anthropics/claude-code/security/advisories/GHSA-vhw5-3g5m-8ggf.

EU & UK References

Vulnerability details

Claude Code is an agentic coding tool. Prior to version 1.0.111, Claude Code contained insufficient URL validation in its trusted domain verification mechanism for WebFetch requests. The application used a startsWith() function to validate trusted domains (e.g., docs.python.org, modelcontextprotocol.io), this…

more

could have enabled attackers to register domains like modelcontextprotocol.io.example.com that would pass validation. This could enable automatic requests to attacker-controlled domains without user consent, potentially leading to data exfiltration. This issue has been patched in version 1.0.111.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: claude

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1041 Exfiltration Over C2 Channel Exfiltration
Adversaries may steal data by exfiltrating it over an existing command and control channel.
T1071.001 Web Protocols Command And Control
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.
Why these techniques?

Bypass of domain validation in WebFetch enables attacker-controlled exfiltration over web protocols from the victim environment.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-21852Same product: Anthropic Claude Code
CVE-2026-25724Same product: Anthropic Claude Code
CVE-2026-39861Same product: Anthropic Claude Code
CVE-2026-25722Same product: Anthropic Claude Code
CVE-2026-24887Same product: Anthropic Claude Code
CVE-2026-25725Same product: Anthropic Claude Code
CVE-2026-40068Same product: Anthropic Claude Code
CVE-2026-33068Same product: Anthropic Claude Code
CVE-2025-54795Same product: Anthropic Claude Code
CVE-2025-65099Same product: Anthropic Claude Code

Affected Assets

anthropic
claude code
≤ 1.0.111

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of URL inputs to ensure only properly formed and authorized domains are accepted, blocking the startsWith() bypass.

prevent

Enforces information flow rules so WebFetch requests are permitted only to explicitly validated trusted domains, preventing unauthorized exfiltration.

prevent

Requires the system to enforce access decisions based on domain trust rules before allowing outbound WebFetch requests.

References