CVE-2026-24052

216.73.217.22

· Published 03/02/2026 21:16 · Modified 04/02/2026 16:33

Labels: CVE-2026-24052 2026-02-03 CVE-2026-24052 CWE-601 [email protected]

Essential information

Published: 03/02/2026 21:16
Modified: 04/02/2026 16:33
Author: —
Creator: —
CVSS: 7.1 HIGH (v3) 7.1 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Claude Code is an agentic coding tool. Prior to version 1.0.111, Claude Code contained insufficient URL validation in its trusted domain verification mechanism for WebFetch requests. The application used a startsWith() function to validate trusted domains (e.g., docs.python.org, modelcontextprotocol.io), this could have enabled attackers to register domains like modelcontextprotocol.io.example.com that would pass validation. This could enable automatic requests to attacker-controlled domains without user consent, potentially leading to data exfiltration. This issue has been patched in version 1.0.111.

NVD status

Status: Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
claude / claude code	`cpe:2.3:a:claude:claude_code:<1.0.111:::::::*`