Loading
Claude Code is an agentic coding tool. Prior to version 1.0.111, Claude Code contained insufficient URL validation in its trusted domain verification mechanism for WebFetch requests. The application used a startsWith() function to validate trusted domains (e.g., docs.python.org, modelcontextprotocol.io), this could have enabled attackers to register domains like modelcontextprotocol.io.example.com that would pass validation. This could enable automatic requests to attacker-controlled domains without user consent, potentially leading to data exfiltration. This issue has been patched in version 1.0.111.
Cite this page
CVE-2026-24052. CVEDatabase.com. Retrieved 1 May 2026. https://cvedatabase.com/cve/CVE-2026-24052
Use CWE-601, Anthropic vendor hub and Claude Code product page to widen CVE-2026-24052 into its surrounding weakness, vendor, and product context.
Compare it with CVE-2026-35022, CVE-2026-35020 and CVE-2026-35021 for nearby disclosures in the same product family.