Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-54316

CVE-2026-54316: Claude Code SSRF Vulnerability

CVE-2026-54316 is a server-side request forgery flaw in Claude Code that enables data exfiltration through HuggingFace downloads. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-54316 Overview

CVE-2026-54316 affects Claude Code, an agentic coding tool from Anthropic. Versions 0.2.54 through 2.1.162 pre-approved the bare hostname huggingface.co for the WebFetch tool. Any path on that domain, including attacker-controlled model repositories, was auto-approved without a permission prompt and bypassed --allowedTools restrictions. An attacker who can inject untrusted content into a Claude Code context can direct it to issue WebFetch requests against attacker-controlled repository files. HuggingFace counts these requests as downloads server-side, creating a covert out-of-band channel to encode and exfiltrate data Claude can access. The vulnerability is tracked as [CWE-183] Permissive List of Allowed Inputs and is fixed in version 2.1.163.

Critical Impact

Attackers can exfiltrate local files, environment variables, and command output through HuggingFace download telemetry without triggering Claude Code permission prompts.

Affected Products

  • Anthropic Claude Code version 0.2.54 through 2.1.162
  • Claude Code WebFetch tool configurations relying on --allowedTools restrictions
  • Environments where untrusted content can reach the Claude Code context window

Discovery Timeline

  • 2026-06-23 - CVE-2026-54316 published to NVD
  • 2026-06-23 - Last updated in NVD database

Technical Details for CVE-2026-54316

Vulnerability Analysis

Claude Code maintains a list of pre-approved hostnames that bypass user permission prompts for the WebFetch tool. The hostname huggingface.co was included as a bare entry, meaning every path on that domain was implicitly trusted. This trust extended to user-controlled paths such as /resolve/main/config.json inside attacker-owned model repositories. The pre-approval also overrode the --allowedTools command-line restrictions intended to constrain agent behavior.

An attacker who injects untrusted content into Claude's context, for example via a poisoned README, issue comment, or web page, can instruct the agent to issue specific WebFetch requests. HuggingFace records these fetches as repository download events visible to the repository owner. The attacker reads encoded data out of the download telemetry, creating an asynchronous exfiltration channel.

Root Cause

The root cause is a permissive allowlist entry [CWE-183]. The allowlist matched on hostname only, not on full URL or repository path. This violated least-privilege by extending trust granted to Anthropic-controlled HuggingFace content to all third-party repositories on the same domain.

Attack Vector

Exploitation requires prompt injection into the Claude Code context window. Once injected, instructions direct the agent to read sensitive local data such as files, environment variables, or shell output. The attacker encodes the captured data into URL paths under their HuggingFace repository, for example by splitting bytes across distinct /resolve/main/<encoded>.json requests. Each WebFetch executes silently because huggingface.co is pre-approved. The attacker reconstructs the exfiltrated payload from HuggingFace download logs.

Detection Methods for CVE-2026-54316

Indicators of Compromise

  • Outbound HTTPS requests from Claude Code processes to huggingface.co paths referencing repositories not owned by trusted publishers
  • High-frequency or sequentially patterned GET /resolve/main/ requests suggesting encoded data segmentation
  • Claude Code session logs containing untrusted external content followed by unexpected WebFetch invocations

Detection Strategies

  • Inspect Claude Code audit logs for WebFetch calls to huggingface.co that were auto-approved without user confirmation
  • Correlate developer endpoint network telemetry with Claude Code session timestamps to identify agent-driven exfiltration patterns
  • Apply DNS and proxy monitoring to flag agent processes contacting model repository hosts outside approved workflows

Monitoring Recommendations

  • Forward Claude Code tool invocation logs to a centralized SIEM for retention and correlation
  • Alert on Claude Code processes generating outbound HTTP traffic to hostnames outside an organization-defined approved list
  • Monitor environment variable and credential file reads occurring within active Claude Code sessions

How to Mitigate CVE-2026-54316

Immediate Actions Required

  • Upgrade Claude Code to version 2.1.163 or later on all developer workstations and CI runners
  • Audit recent Claude Code sessions for WebFetch requests to huggingface.co paths under untrusted repositories
  • Rotate credentials, API tokens, and secrets that may have been accessible to a Claude Code session during the exposure window

Patch Information

Anthropic fixed the vulnerability in Claude Code 2.1.163. The fix removes the bare-hostname pre-approval for huggingface.co so that WebFetch requests to that domain are subject to standard permission prompts and --allowedTools enforcement. Patch details are available in the GitHub Security Advisory GHSA-fg94-h982-f3mm.

Workarounds

  • Block outbound network access to huggingface.co from Claude Code execution environments where the tool is not required
  • Restrict Claude Code to project directories that exclude sensitive secrets, environment files, and credential stores
  • Avoid pasting or auto-loading untrusted external content such as third-party READMEs or web pages into Claude Code contexts
bash
# Configuration example: upgrade Claude Code and verify version
npm install -g @anthropic-ai/claude-code@latest
claude --version   # confirm 2.1.163 or later

# Optional egress restriction for sensitive environments
iptables -A OUTPUT -d huggingface.co -j REJECT

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.