CVE-2026-24052
Published: 03 February 2026
Summary
CVE-2026-24052 is a high-severity Open Redirect (CWE-601) vulnerability in Anthropic Claude Code. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exfiltration Over C2 Channel (T1041); ranked at the 4.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-24052 affects Claude Code, an agentic coding tool from Anthropic, in versions prior to 1.0.111. The vulnerability stems from insufficient URL validation in the trusted domain verification mechanism for WebFetch requests. Specifically, the application relied on a startsWith() function to check trusted domains such as docs.python.org and modelcontextprotocol.io, which allowed attacker-controlled domains like modelcontextprotocol.io.example.com to pass validation.
Remote attackers require no privileges but need user interaction to exploit this issue, as indicated by its CVSS score of 7.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N). By registering a domain that mimics a trusted one via prefix matching, an attacker could trick Claude Code into issuing automatic WebFetch requests to their controlled server without user consent, enabling potential data exfiltration from the user's environment.
The issue, classified under CWE-601 (URL Redirection to Untrusted Site), has been addressed in Claude Code version 1.0.111. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub Security Advisory at https://github.com/anthropics/claude-code/security/advisories/GHSA-vhw5-3g5m-8ggf.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5172
Vulnerability details
Claude Code is an agentic coding tool. Prior to version 1.0.111, Claude Code contained insufficient URL validation in its trusted domain verification mechanism for WebFetch requests. The application used a startsWith() function to validate trusted domains (e.g., docs.python.org, modelcontextprotocol.io), this…
more
could have enabled attackers to register domains like modelcontextprotocol.io.example.com that would pass validation. This could enable automatic requests to attacker-controlled domains without user consent, potentially leading to data exfiltration. This issue has been patched in version 1.0.111.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: claude
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Bypass of domain validation in WebFetch enables attacker-controlled exfiltration over web protocols from the victim environment.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of URL inputs to ensure only properly formed and authorized domains are accepted, blocking the startsWith() bypass.
Enforces information flow rules so WebFetch requests are permitted only to explicitly validated trusted domains, preventing unauthorized exfiltration.
Requires the system to enforce access decisions based on domain trust rules before allowing outbound WebFetch requests.