Claude Code Trusted Domain Validation Bypass (CVE-2026-24052)

Executive Summary

What: A high-severity domain validation bypass vulnerability (CVE-2026-24052, CVSS 7.4) exists in Anthropic's Claude Code, an agentic coding tool distributed as the npm package @anthropic-ai/claude-code (NVD). The WebFetch feature, which permits the AI agent to retrieve content from external URLs during coding sessions, validated trusted domains using JavaScript's startsWith() function (GHSA-vhw5-3g5m-8ggf). This allows an attacker to register a domain such as modelcontextprotocol.io.example.com that passes the validation check while resolving to attacker-controlled infrastructure (GHSA-vhw5-3g5m-8ggf).

So What: Successful exploitation enables cross-boundary data exfiltration from Claude Code sessions to attacker-controlled domains without explicit user consent (GHSA-vhw5-3g5m-8ggf). The CVSS vector assigns Scope: Changed (S:C), indicating the vulnerability affects resources beyond the Claude Code application's own security boundary (NVD). Although user interaction is required (UI:R), the attack complexity is low (AC:L) and no privileges are needed (PR:N), making exploitation feasible for any attacker capable of registering a domain name (GHSA-vhw5-3g5m-8ggf). The EPSS probability is 0.039% (12th percentile), indicating low observed exploitation likelihood at time of writing (FIRST.org EPSS).

Now What: Upgrade Claude Code to version 1.0.111 or later immediately (NVD). Audit any agentic AI tooling in the environment that validates external domains using string prefix matching (RAXE assessment). Review WebFetch request logs for connections to unexpected domain suffixes that may indicate bypass attempts.

Risk Rating

CVSS Divergence Note: GHSA-vhw5-3g5m-8ggf assigns a CVSS v4.0 score of 7.1 HIGH. This publication uses the NVD v3.1 score of 7.4 as the primary metric for consistency across findings (NVD, GHSA-vhw5-3g5m-8ggf).

Affected Products

CPE: cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:* (NVD)

Am I Affected?

• Check if Claude Code is installed in your development environment: claude --version
• Any version below 1.0.111 is vulnerable (NVD)
• Review whether WebFetch functionality is used in your Claude Code workflows
• If auto-update is enabled, you may already be on a patched version (GHSA-vhw5-3g5m-8ggf)

Abstract

CVE-2026-24052 is a high-severity domain validation bypass in Anthropic's Claude Code, an agentic coding tool that enables AI-assisted software development. The vulnerability resides in the WebFetch feature's trusted domain verification logic, which used JavaScript's String.prototype.startsWith() to check whether a requested URL's hostname begins with a string from an internal allowlist (GHSA-vhw5-3g5m-8ggf). This validation approach does not enforce DNS label boundaries: a hostname such as modelcontextprotocol.io.attacker.com satisfies a startsWith("modelcontextprotocol.io") check while resolving entirely to attacker-controlled infrastructure (GHSA-vhw5-3g5m-8ggf). Exploitation requires user interaction but no privileges, and the changed scope (S:C) in the CVSS vector indicates that data exfiltration extends beyond the Claude Code process boundary (NVD). The vulnerability was reported via HackerOne by the researcher 47sid-praetorian and patched in version 1.0.111 (GHSA-vhw5-3g5m-8ggf). The weaknesses are classified as CWE-601 (URL Redirection to Untrusted Site) by MITRE and CWE-20 (Improper Input Validation) by the vendor (NVD, GHSA-vhw5-3g5m-8ggf).

Key Findings

1. Domain validation used startsWith() without boundary enforcement -- Claude Code's WebFetch feature validated trusted domains by checking whether the requested hostname began with a trusted domain string, using JavaScript's startsWith() function. This does not enforce a domain label boundary, allowing prefix-spoofed hostnames to bypass the check (GHSA-vhw5-3g5m-8ggf).

2. Cross-boundary data exfiltration -- The CVSS vector assigns Scope: Changed (S:C) and Confidentiality: High (C:H), reflecting that exploitation enables data exfiltration from the Claude Code session to infrastructure outside the application's security boundary (NVD), without explicit user consent (GHSA-vhw5-3g5m-8ggf).

3. Low barrier to exploitation -- No privileges are required (PR:N), attack complexity is low (AC:L), and the only prerequisite beyond domain registration is user interaction (UI:R) to trigger a WebFetch request to the spoofed domain (NVD).

4. Vendor response demonstrates responsible disclosure maturity -- The vulnerability was reported via Anthropic's HackerOne programme, credited to 47sid-praetorian, and patched in version 1.0.111. Auto-update users were automatically remediated (GHSA-vhw5-3g5m-8ggf).

5. Pattern recurrence in AI agent tool-use interfaces (RAXE assessment) -- This finding complements RAXE-2026-014 (MCP Server Git Path Traversal, CVE-2026-27735) in establishing a pattern of insufficient input validation at the interface between AI agents and external resources. The startsWith() bypass is a specific instance of a broader class of trust-boundary validation failures in agentic architectures. This is an analytical assessment based on observed findings, not a vendor-confirmed systemic issue.

Attack Flow

+--------------------------+
|  1. DOMAIN REGISTRATION  |  Attacker registers spoofed domain
|  e.g., modelcontext-     |  (e.g., modelcontextprotocol.io.evil.com)
|  protocol.io.evil.com    |
+-----------+--------------+  (GHSA-vhw5-3g5m-8ggf)
            |
            v
+--------------------------+
|  2. RECEIVING SERVER     |  Attacker configures HTTP server
|  HTTP logging enabled    |  to log all inbound requests
+-----------+--------------+
            |
            v
+--------------------------+
|  3. DELIVERY             |  Malicious URL delivered via:
|  User interaction req.   |  - Repository instructions
|  (UI:R per CVSS)         |  - Prompt injection payload
|                          |  - Social engineering
+-----------+--------------+  (NVD)
            |
            v
+--------------------------+
|  4. VALIDATION BYPASS    |  startsWith("modelcontextprotocol.io")
|  startsWith() passes     |  returns TRUE for spoofed hostname
|  No boundary check       |  WebFetch proceeds without warning
+-----------+--------------+  (GHSA-vhw5-3g5m-8ggf)
            |
            v
+--------------------------+
|  5. DATA EXFILTRATION    |  HTTP request sent to attacker server
|  Scope: Changed (S:C)    |  Session context, headers, parameters
|  Confidentiality: High   |  exfiltrated beyond app boundary
+-----------+--------------+  (NVD)
            |
            v
+--------------------------+
|  6. IMPACT               |  Attacker reviews server logs
|  No integrity/avail.     |  Extracts code, context, metadata
|  impact (I:N, A:N)       |  from the Claude Code session
+--------------------------+  (NVD)

Technical Details

Vulnerability Mechanics

Claude Code maintains an internal allowlist of trusted domains for its WebFetch feature. WebFetch enables the AI agent to autonomously retrieve content from external URLs during coding sessions, supporting functionality such as documentation lookup and resource fetching (GHSA-vhw5-3g5m-8ggf). The advisory identifies modelcontextprotocol.io and docs.python.org as examples of domains on this trusted list (GHSA-vhw5-3g5m-8ggf).

The domain validation logic evaluated whether a requested hostname begins with a trusted domain string, using JavaScript's String.prototype.startsWith() method (GHSA-vhw5-3g5m-8ggf). This check is semantically insufficient: startsWith() performs a pure string prefix comparison and does not assess whether the match occurs at a DNS label boundary.

A hostname such as modelcontextprotocol.io.attacker.com satisfies a startsWith("modelcontextprotocol.io") check because the string modelcontextprotocol.io is a literal prefix of the full hostname. However, the hostname resolves entirely to attacker.com's DNS zone -- the modelcontextprotocol.io substring is merely a label structure that the attacker controls by registering the appropriate domain (GHSA-vhw5-3g5m-8ggf).

Correct Validation Approaches

The startsWith() pattern can be contrasted with secure alternatives (RAXE assessment):

• Suffix matching (endsWith()) with a preceding dot boundary: hostname === trustedDomain || hostname.endsWith("." + trustedDomain) -- ensures the matched domain is an exact match or a genuine subdomain.
• URL parsing via the URL constructor followed by exact hostname comparison against the allowlist.
• Public Suffix List (PSL) validation -- resolves the registerable domain from the hostname and compares against the allowlist.

The advisory does not detail which remediation technique was implemented in version 1.0.111.

CVSS Vector Decomposition

Exploitability sub-score: 2.8 (NVD) Impact sub-score: 4.0 (NVD)

Weakness Classification

• CWE-601 -- URL Redirection to Untrusted Site (primary, assigned by MITRE): The startsWith() check allows requests to be directed to domains that appear trusted but resolve to attacker-controlled infrastructure (NVD).
• CWE-20 -- Improper Input Validation (assigned by vendor): The domain validation logic does not properly enforce hostname boundaries (GHSA-vhw5-3g5m-8ggf).

MITRE ATLAS Mapping

Attack Prerequisites

Capability barrier: Low. Domain registration is a publicly available commercial service. The bypass requires only knowledge of Claude Code's trusted domain list and the startsWith() validation pattern, both of which are derivable from the public advisory text (RAXE assessment).

Confidence & Validation

Assessment Confidence: High

Key Assumptions (KAC)

Diamond Model

Detection Signatures (Formal Rules)

Note: These detection rules are based on trusted-domain examples documented in the advisory (e.g., modelcontextprotocol.io, docs.python.org). Rules must be updated if the Claude Code trusted-domain allowlist changes in future versions.

Sigma Rule 1 -- Network: Outbound HTTPS to Prefix-Spoofed Trusted Domain

Detects outbound HTTPS connections from the Claude Code Node.js process to a hostname that begins with a known trusted domain string but resolves to a different registerable domain (GHSA-vhw5-3g5m-8ggf).

title: Claude Code WebFetch Request to Prefix-Spoofed Trusted Domain (CVE-2026-24052)
id: 7a3f2c1e-8b4d-4e9a-b2f6-1c5d7e9a0b3f
status: experimental
description: >
  Detects outbound HTTPS connections from the Claude Code Node.js process to a hostname
  that begins with a known Claude Code trusted domain string but resolves to a different
  registerable domain. This is the network-layer manifestation of the startsWith() domain
  validation bypass described in CVE-2026-24052 and GHSA-vhw5-3g5m-8ggf.
  Affected package: @anthropic-ai/claude-code < 1.0.111 (npm).
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-24052
  - https://github.com/anthropics/claude-code/security/advisories/GHSA-vhw5-3g5m-8ggf
  - https://atlas.mitre.org/techniques/AML.T0057
author: RAXE Labs (M. Hirani)
date: 2026-03-09
tags:
  - attack.exfiltration
  - cve.2026-24052
  - cwe.601
  - cwe.20
  - raxe.2026-022
logsource:
  category: network_connection
  product: windows
detection:
  selection_process:
    Image|endswith:
      - '\node.exe'
      - '/node'
    CommandLine|contains:
      - 'claude'
  selection_destination:
    DestinationPort: 443
    DestinationHostname|startswith:
      - 'modelcontextprotocol.io.'
      - 'docs.python.org.'
  condition: selection_process and selection_destination
falsepositives:
  - Legitimate subdomains of trusted domains (verify the matched destination is not a
    genuine subdomain of the trusted domain)
  - Network proxy logs may normalise hostnames differently
level: high

Sigma Rule 2 -- DNS: Resolution of Prefix-Spoofed Trusted Domain Hostname

Detects DNS queries for hostnames that begin with a known trusted domain followed by additional DNS labels, matching the structural startsWith() bypass pattern (GHSA-vhw5-3g5m-8ggf).

title: DNS Query for Prefix-Spoofed Claude Code Trusted Domain (CVE-2026-24052)
id: 2e8c4f7a-1d3b-4a6e-9c0f-5b2d8e4a7c1e
status: experimental
description: >
  Detects DNS queries for hostnames that begin with a known Claude Code trusted domain
  followed by a dot and additional DNS labels, matching the structural pattern of the
  startsWith() bypass in CVE-2026-24052. DNS resolution is observable before TLS
  establishment and is visible regardless of HTTPS inspection capability.
  Affected package: @anthropic-ai/claude-code < 1.0.111 (npm).
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-24052
  - https://github.com/anthropics/claude-code/security/advisories/GHSA-vhw5-3g5m-8ggf
  - https://atlas.mitre.org/techniques/AML.T0057
author: RAXE Labs (M. Hirani)
date: 2026-03-09
tags:
  - attack.exfiltration
  - attack.reconnaissance
  - cve.2026-24052
  - cwe.601
  - cwe.20
  - raxe.2026-022
logsource:
  category: dns
detection:
  selection:
    QueryName|startswith:
      - 'modelcontextprotocol.io.'
      - 'docs.python.org.'
  condition: selection
falsepositives:
  - Mistyped hostnames where a user accidentally appends additional labels
  - Internal DNS resolvers that append search domain suffixes
level: high

Sigma Rule 3 -- Application Log: WebFetch Request to Spoofed Domain

Detects Claude Code application log entries recording a WebFetch request to a destination matching the prefix-spoofed domain pattern (GHSA-vhw5-3g5m-8ggf).

title: Claude Code WebFetch Request to Non-Allowlisted Destination (CVE-2026-24052)
id: 9b5e1d4c-3f7a-4c8b-a1e2-6d0f3b8e2a9c
status: experimental
description: >
  Detects Claude Code application log entries recording a WebFetch request to a destination
  that matches the startsWith() bypass pattern. Applicable where Claude Code diagnostic
  or debug logging is enabled.
  Affected package: @anthropic-ai/claude-code < 1.0.111 (npm).
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-24052
  - https://github.com/anthropics/claude-code/security/advisories/GHSA-vhw5-3g5m-8ggf
  - https://atlas.mitre.org/techniques/AML.T0057
author: RAXE Labs (M. Hirani)
date: 2026-03-09
tags:
  - attack.exfiltration
  - cve.2026-24052
  - cwe.601
  - cwe.20
  - raxe.2026-022
logsource:
  product: claude-code
  category: application
detection:
  selection_webfetch:
    message|contains:
      - 'WebFetch'
      - 'webfetch'
      - 'fetch'
  selection_spoofed_domains:
    message|contains:
      - 'modelcontextprotocol.io.'
      - 'docs.python.org.'
  condition: selection_webfetch and selection_spoofed_domains
falsepositives:
  - Log lines containing both 'fetch' and a spoofed-pattern hostname in a debugging
    context unrelated to actual outbound requests
level: high

Sigma Rule 4 -- Endpoint: Node.js Outbound TLS to Non-Allowlisted Host

Broad hunting rule detecting unexpected outbound TLS connections from the Claude Code Node.js process (GHSA-vhw5-3g5m-8ggf).

title: Claude Code Node.js Process Outbound TLS to Non-Allowlisted Host (CVE-2026-24052)
id: 4c7a9e2f-6b1d-4f3c-8e5a-0d2b7c4e9f1a
status: experimental
description: >
  Detects a Node.js process associated with Claude Code establishing an outbound TLS
  connection (port 443) to a destination hostname that does not match a baseline allowlist.
  The filter includes the two trusted domains documented in GHSA-vhw5-3g5m-8ggf plus
  likely operational domains (anthropic.com, npmjs.org) added by RAXE assessment.
  Broad safety net for endpoint environments with EDR/XDR process-level network telemetry.
  Tune the filter_allowlisted_domains list to match your environment before deployment.
  Affected package: @anthropic-ai/claude-code < 1.0.111 (npm).
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-24052
  - https://github.com/anthropics/claude-code/security/advisories/GHSA-vhw5-3g5m-8ggf
  - https://atlas.mitre.org/techniques/AML.T0057
author: RAXE Labs (M. Hirani)
date: 2026-03-09
tags:
  - attack.exfiltration
  - cve.2026-24052
  - cwe.601
  - cwe.20
  - raxe.2026-022
logsource:
  category: network_connection
  product: windows
detection:
  selection_process:
    Image|endswith:
      - '\node.exe'
      - '/node'
    CommandLine|contains:
      - 'claude'
    DestinationPort: 443
    Initiated: 'true'
  filter_allowlisted_domains:
    DestinationHostname|endswith:
      - 'modelcontextprotocol.io'
      - 'docs.python.org'
      - 'anthropic.com'
      - 'registry.npmjs.org'
  condition: selection_process and not filter_allowlisted_domains
falsepositives:
  - Legitimate outbound connections from Claude Code to destinations not in the
    allowlist filter. Baseline before deploying at production alert level.
level: medium

Deployment Summary

Recommended deployment order: Deploy Rule 2 (DNS) first -- lowest false-positive rate, widest platform coverage, no TLS inspection required. Deploy Rule 1 (Network) on perimeter firewalls and NDR tools with hostname visibility. Deploy Rule 3 (Application log) if Claude Code log output is centralised. Deploy Rule 4 (Endpoint) as a hunting rule after allowlist baselining.

Detection & Mitigation

Immediate Actions

1. Upgrade to Claude Code version 1.0.111 or later -- This is the primary remediation. The patch addresses the startsWith() domain validation bypass (GHSA-vhw5-3g5m-8ggf). If auto-update is enabled, the fix may already be applied.

2. Restrict or disable WebFetch -- If an immediate upgrade is not possible, restrict WebFetch functionality until the update is applied to prevent the exfiltration channel.

3. Review WebFetch request logs -- Audit any available Claude Code diagnostic logs for connections to hostnames that follow the prefix-spoofing pattern (e.g., trustedsite.com.attacker.com).

Short-Term Actions (Within 1 Week)

1. Audit agentic AI tool domain validation -- Review all AI agent tools in the environment that perform autonomous web requests. Check domain validation logic for startsWith() or equivalent prefix-only matching patterns. Any tool that validates trusted domains via prefix comparison is potentially vulnerable to the same class of bypass (RAXE assessment).

2. Deploy detection signatures -- Implement Sigma Rules 1--4 (above) in your SIEM or EDR platform. Begin with Rule 2 (DNS) for fastest deployment with lowest false-positive risk.

3. Verify development environment isolation -- Ensure that development environments running Claude Code are not exposed to untrusted network content or repository artefacts that could trigger malicious WebFetch requests.

Strategic Recommendations

1. Assess all AI agent tool-use implementations -- The startsWith() bypass is a specific instance of a broader class of trust-boundary validation failures in agentic architectures. Organisations should review every interface between AI agents and external resources for similar input validation weaknesses (RAXE assessment).

2. Establish agentic tool security review process -- Require security review of all agentic AI tool integrations before deployment, with specific attention to URL validation, domain allowlisting, and autonomous web request capability.

3. Track Anthropic's security advisory feed -- Monitor for further Claude Code WebFetch hardening measures and related advisories at https://github.com/anthropics/claude-code/security/advisories.

Indicators of Compromise

Strategic Context

The Claude Code domain validation bypass sits at the intersection of two significant trends in the AI security landscape: the expansion of agentic tool-use capabilities and the persistent difficulty of implementing robust URL/domain validation.

AI agents are acquiring autonomous network capabilities. As AI coding assistants evolve from prompt-response interfaces into agentic tools that can browse documentation, fetch resources, and interact with external services, the attack surface extends from the model itself to the entire tool-use infrastructure. Claude Code's WebFetch feature is an early example of this pattern, and the startsWith() bypass demonstrates that the security engineering of these capabilities is still maturing. Domain validation -- a problem the web security community has grappled with for decades -- must now be addressed in every agentic tool that maintains a trust boundary for external requests (RAXE assessment).

Prefix matching is a known anti-pattern, yet it recurs. The startsWith() bypass is not a novel technique. Open redirect and SSRF vulnerabilities arising from insufficient URL validation have been documented extensively in web application security literature. The recurrence of this pattern in an AI agent context suggests that the development practices surrounding agentic tool-use features have not yet fully absorbed the lessons of web security engineering. This creates a window of opportunity for defenders to proactively audit agentic tools for known URL validation pitfalls before exploitation occurs (RAXE assessment).

The scope change (S:C) is the strategic signal. While the CVSS score of 7.4 classifies this as high-severity rather than critical, the Scope: Changed designation is the most strategically significant element. It indicates that the Claude Code application's security boundary is not self-contained -- a flaw in the agent's domain validation can affect resources and data stores outside the application itself. As AI agents gain deeper integration into development workflows and access to sensitive codebases, scope-changing vulnerabilities in their tool-use layers become increasingly consequential (RAXE assessment).

Cross-finding pattern with RAXE-2026-014. This finding complements RAXE-2026-014 (MCP Server Git Path Traversal, CVE-2026-27735) in establishing a recurring pattern of security weaknesses at the interface between AI agents and external resources. Taken together, these findings suggest that the tool-use layer of AI agent architectures -- including URL fetching, file access, and MCP integrations -- is a consistently undervalidated attack surface warranting dedicated security attention (RAXE assessment).

References

1. CVE-2026-24052 -- NVD entry, CVSS 7.4 HIGH, CWE-601, published 2026-02-03 (NVD)
2. GHSA-vhw5-3g5m-8ggf -- Domain Validation Bypass Allows Automatic Requests to Attacker-Controlled Domains, CVSS v4.0 7.1 HIGH, reporter: 47sid-praetorian (GHSA-vhw5-3g5m-8ggf)
3. MITRE ATLAS: AML.T0057 -- LLM Data Leakage -- Technique mapping for data exfiltration from LLM-powered tools
4. FIRST.org EPSS: CVE-2026-24052 -- Exploit Prediction Scoring System, 0.039% probability, 12th percentile