CVE-2026-24052
Published: 03 February 2026
Summary
CVE-2026-24052 is a high-severity Open Redirect (CWE-601) vulnerability in Anthropic Claude Code. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exfiltration Over C2 Channel (T1041); ranked at the 3.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as APIs and Models; in the Privacy and Disclosure risk domain.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Bypass of domain validation in WebFetch enables attacker-controlled exfiltration over web protocols from the victim environment.
NVD Description
Claude Code is an agentic coding tool. Prior to version 1.0.111, Claude Code contained insufficient URL validation in its trusted domain verification mechanism for WebFetch requests. The application used a startsWith() function to validate trusted domains (e.g., docs.python.org, modelcontextprotocol.io), this…
more
could have enabled attackers to register domains like modelcontextprotocol.io.example.com that would pass validation. This could enable automatic requests to attacker-controlled domains without user consent, potentially leading to data exfiltration. This issue has been patched in version 1.0.111.
Deeper analysisAI
CVE-2026-24052 affects Claude Code, an agentic coding tool from Anthropic, in versions prior to 1.0.111. The vulnerability stems from insufficient URL validation in the trusted domain verification mechanism for WebFetch requests. Specifically, the application relied on a startsWith() function to check trusted domains such as docs.python.org and modelcontextprotocol.io, which allowed attacker-controlled domains like modelcontextprotocol.io.example.com to pass validation.
Remote attackers require no privileges but need user interaction to exploit this issue, as indicated by its CVSS score of 7.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N). By registering a domain that mimics a trusted one via prefix matching, an attacker could trick Claude Code into issuing automatic WebFetch requests to their controlled server without user consent, enabling potential data exfiltration from the user's environment.
The issue, classified under CWE-601 (URL Redirection to Untrusted Site), has been addressed in Claude Code version 1.0.111. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub Security Advisory at https://github.com/anthropics/claude-code/security/advisories/GHSA-vhw5-3g5m-8ggf.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: claude, claude