Anthropic · Claude-Code · CVE-2026-24052
**Name of the Vulnerable Software and Affected Versions**
Claude Code versions prior to 1.0.111
**Description**
Claude Code, an agentic coding tool, had a flaw in how it checked the trustworthiness of web addresses when making WebFetch requests. The application used a `startsWith()` function to confirm trusted domains, which allowed attackers to potentially register domains that would pass the validation. For example, a domain like `modelcontextprotocol.io.example.com` could bypass the check. This could lead to the application automatically sending requests to domains controlled by attackers without the user's knowledge, potentially resulting in data being stolen.
**Recommendations**
Update to version 1.0.111 or later.