Is Python affected by CVE-2026-24052?

Claude Code versions prior to 1.0.111 contain a URL validation flaw that could allow attackers to trick the application into making automatic requests to malicious domains they control.

CVE-2026-24052

HIGH

2026-02-03 [email protected]

GHSA-vhw5-3g5m-8ggf

7.4

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Feb 03, 2026 - 21:16 nvd

HIGH 7.4

Description

Claude Code is an agentic coding tool. Prior to version 1.0.111, Claude Code contained insufficient URL validation in its trusted domain verification mechanism for WebFetch requests. The application used a startsWith() function to validate trusted domains (e.g., docs.python.org, modelcontextprotocol.io), this could have enabled attackers to register domains like modelcontextprotocol.io.example.com that would pass validation. This could enable automatic requests to attacker-controlled domains without user consent, potentially leading to data exfiltration. This issue has been patched in version 1.0.111.

Analysis

Claude Code versions prior to 1.0.111 fail to properly validate trusted domains for WebFetch requests, allowing attackers to register lookalike domains (e.g., modelcontextprotocol.io.example.com) that bypass validation checks. This enables unauthorized automated requests to attacker-controlled servers without user interaction, potentially resulting in sensitive data exfiltration from the user's environment. …

Remediation

Within 24 hours: Identify all Claude Code installations and their versions across your organization. Within 7 days: Implement network segmentation to restrict Claude Code's outbound access to only verified, necessary domains, and disable WebFetch functionality if not operationally critical. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +37

POC: 0

CVE-2026-24052 vulnerability details – vuln.today

Back

CVE-2026-24052

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-24052

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code