Insufficient URL Validation in Claude Code by Anthropics
CVE-2026-24052

7.1HIGH

Key Information:

Vendor: Anthropics
Status: Claude-code
Vendor: CVE Published:; 3 February 2026

What is CVE-2026-24052?

Claude Code, an agentic coding tool developed by Anthropics, prior to version 1.0.111, suffered from a security vulnerability due to inadequate URL validation in its trusted domain verification mechanism for WebFetch requests. The flawed implementation used the startsWith() function for domain validation, allowing attackers to potentially register deceptive domains (e.g., modelcontextprotocol.io.example.com) that could pass as trusted. This misconfiguration could result in the application making automatic requests to domains controlled by attackers without user consent, posing risks of unauthorized data access and exfiltration. The vulnerability has been addressed in the latest version.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

claude-code < 1.0.111

References

https://github.com/anthropics/claude-code/security/adviso...

x_refsource_CONFIRM

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
Feb 3, 2026
Vulnerability Reserved
Jan 20, 2026

JSON

Anthropics

What is CVE-2026-24052?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V4

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.