CVE-2026-24052

Name of the Vulnerable Software and Affected Versions Claude Code versions prior to 1.0.111

Description Claude Code, an agentic coding tool, had a flaw in how it checked the trustworthiness of web addresses when making WebFetch requests. The application used a startsWith() function to confirm trusted domains, which allowed attackers to potentially register domains that would pass the validation. For example, a domain like modelcontextprotocol.io.example.com could bypass the check. This could lead to the application automatically sending requests to domains controlled by attackers without the user's knowledge, potentially resulting in data being stolen.

Recommendations Update to version 1.0.111 or later.