Insufficient URL Validation in Claude Code by Anthropics
CVE-2026-24052

7.1HIGH

Key Information:

Vendor: Anthropics
Status: Claude-code
Vendor: CVE Published:; 3 February 2026

What is CVE-2026-24052?

Claude Code, an agentic coding tool developed by Anthropics, prior to version 1.0.111, suffered from a security vulnerability due to inadequate URL validation in its trusted domain verification mechanism for WebFetch requests. The flawed implementation used the startsWith() function for domain validation, allowing attackers to potentially register deceptive domains (e.g., modelcontextprotocol.io.example.com) that could pass as trusted. This misconfiguration could result in the application making automatic requests to domains controlled by attackers without user consent, posing risks of unauthorized data access and exfiltration. The vulnerability has been addressed in the latest version.

Affected Version(s)

claude-code < 1.0.111

References

https://github.com/anthropics/claude-code/security/adviso...

x_refsource_CONFIRM

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 3, 2026
Vulnerability Reserved
Jan 20, 2026

CVE-2026-24052 Data

JSON