CVE-2026-24052 Overview
CVE-2026-24052 is an open redirect vulnerability (CWE-601) affecting Claude Code, an agentic coding tool developed by Anthropic. Prior to version 1.0.111, Claude Code contained insufficient URL validation in its trusted domain verification mechanism for WebFetch requests. The application used a startsWith() function to validate trusted domains (e.g., docs.python.org, modelcontextprotocol.io), which could have enabled attackers to register domains like modelcontextprotocol.io.example.com that would pass validation. This could enable automatic requests to attacker-controlled domains without user consent, potentially leading to data exfiltration.
Critical Impact
Attackers could bypass trusted domain validation to exfiltrate sensitive data by registering malicious domains that pass the flawed startsWith() validation check.
Affected Products
- Claude Code versions prior to 1.0.111
Discovery Timeline
- 2026-02-03 - CVE-2026-24052 published to NVD
- 2026-02-04 - Last updated in NVD database
Technical Details for CVE-2026-24052
Vulnerability Analysis
This vulnerability stems from an improper input validation flaw in the trusted domain verification mechanism. When Claude Code makes WebFetch requests, it validates the target URL against a list of trusted domains. The implementation used a startsWith() string comparison function to check if the request URL began with an allowed domain pattern. This approach is fundamentally flawed because it does not properly validate domain boundaries.
For example, if modelcontextprotocol.io is a trusted domain, the startsWith() check would also pass for modelcontextprotocol.io.example.com because the string technically starts with the trusted domain pattern. An attacker could exploit this by registering a subdomain or lookalike domain that incorporates the trusted domain string as a prefix.
The vulnerability requires user interaction to trigger but can be exploited remotely over the network. Once exploited, confidentiality is impacted as sensitive data could be sent to attacker-controlled servers without proper user authorization.
Root Cause
The root cause is the use of startsWith() for domain validation instead of proper URL parsing and domain boundary checking. Secure domain validation requires parsing the URL to extract the actual hostname and then comparing it against the allowlist with proper boundary checks (ensuring exact match or valid subdomain relationships). The flawed implementation treated domain validation as a simple string prefix operation, which fails to account for the hierarchical nature of domain names.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker would:
- Register a domain that begins with a trusted domain string (e.g., modelcontextprotocol.io.attacker.com)
- Craft a malicious URL or content that triggers a WebFetch request to this domain
- When a user interacts with the crafted content, Claude Code's validation incorrectly approves the request
- Sensitive data from the user's session or workspace is sent to the attacker's server without explicit consent
The vulnerability mechanism involves the flawed startsWith() domain validation allowing attacker-controlled domains to masquerade as trusted endpoints. For complete technical details, see the GitHub Security Advisory.
Detection Methods for CVE-2026-24052
Indicators of Compromise
- Unexpected outbound network connections to domains that include trusted domain strings as prefixes but are not legitimate (e.g., docs.python.org.malicious-domain.com)
- WebFetch request logs showing requests to unusual domain patterns that pass validation but point to unrecognized infrastructure
- Data transfer to domains with suspicious TLD patterns or newly registered domains
Detection Strategies
- Monitor network traffic for outbound connections from Claude Code instances to domains that contain trusted domain strings but have additional suffixes
- Implement DNS logging to identify requests to suspicious domains that mimic trusted domain patterns
- Review WebFetch request logs for anomalous domain access patterns
Monitoring Recommendations
- Enable verbose logging for Claude Code WebFetch operations to track all domain access attempts
- Deploy network monitoring solutions to flag connections to domains resembling trusted endpoints with additional suffixes
- Implement alerting for data transfers to newly registered domains or domains with low reputation scores
How to Mitigate CVE-2026-24052
Immediate Actions Required
- Upgrade Claude Code to version 1.0.111 or later immediately
- Review WebFetch logs for any suspicious domain access that may indicate prior exploitation
- Audit any data that may have been exposed through WebFetch requests to untrusted domains
Patch Information
Anthropic has released version 1.0.111 of Claude Code which addresses this vulnerability by implementing proper URL parsing and domain boundary validation. The fix replaces the flawed startsWith() check with secure hostname extraction and comparison logic. Users should update to this version or later to remediate the vulnerability. For more information, see the GitHub Security Advisory.
Workarounds
- Implement network-level controls to block outbound connections to suspicious domains that mimic trusted domain patterns
- Use a proxy or firewall to enforce strict allowlisting of WebFetch destinations at the network layer
- Monitor and restrict Claude Code's network access to only necessary trusted domains pending the upgrade
# Example: Network-level domain allowlist enforcement
# Add to firewall or proxy configuration to restrict outbound connections
# Ensure exact domain matching rather than prefix matching
# Allowlist only legitimate trusted domains:
# - docs.python.org (exact match only)
# - modelcontextprotocol.io (exact match only)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
