Claude Code: When 'Trusted' Domains Turn Traitor
Vulnerability ID: CVE-2026-24052
CVSS Score: 7.1
Published: 2026-02-03
In the race to build autonomous AI agents, Anthropic's Claude Code stumbled over one of the oldest hurdles in web security: string matching. CVE-2026-24052 describes a critical logic flaw in the WebFetch tool where the agent validates domains using a naive startsWith() check. This allows attackers to bypass the trusted domain whitelist by simply registering a malicious domain that begins with a trusted string (e.g., modelcontextprotocol.io.evil.com). The vulnerability turns the agent into an unwitting accomplice, potentially leaking context or succumbing to indirect prompt injection.
TL;DR
Claude Code's agent used startsWith() to validate trusted domains for its WebFetch tool. Attackers can bypass this by crafting domains like trusted.com.attacker.com. This forces the AI to automatically visit malicious sites without user confirmation.
Technical Details
- CWE ID: CWE-601
- Attack Vector: Network
- CVSS Score: 7.1 (High)
- EPSS Score: 0.00041
- Exploit Status: PoC Possible (Trivial)
- Impact: Data Exfiltration / Prompt Injection
Affected Systems
- Claude Code CLI Tool
- @anthropic-ai/claude-code npm package
-
Claude Code: < 1.0.111 (Fixed in:
1.0.111)
Mitigation Strategies
- Strict Input Validation
- Boundary Checking
- Safe URL Parsing
Remediation Steps:
- Update the
claude-codepackage to version 1.0.111 or later usingnpm update -g. - Review logs for any unexpected outbound connections to subdomains of trusted entities.
- Educate developers on the risks of Indirect Prompt Injection via external resources.
References
Read the full report for CVE-2026-24052 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)