2026-02-03 — Claude Code trusted-domain validation bypass (CVE-2026-24052)¶

What happened: Claude Code’s WebFetch “trusted domain” verification used a startsWith() check, allowing attacker-controlled domains like modelcontextprotocol.io.example.com to pass validation meant for modelcontextprotocol.io.

Why it matters: Any agent/tool that automatically fetches URLs based on a “trusted domains” allowlist can be tricked into contacting attacker infrastructure without explicit user consent.

• Potential impact: data exfiltration (query strings, prompts, context, metadata) and persistence via poisoning of fetched content.
• This is the agent-era equivalent of a classic URL parsing / origin validation bug.

Durable guidance (defensive)¶

If you implement a “trusted domains” allowlist for automated fetches:

1. Parse URLs (don’t string-match).
2. Validate against the hostname, not the full URL string.

3. If you allow subdomains, enforce a dot-boundary suffix match:

4. ✅ host == example.com OR host.endswith(".example.com")

5. ❌ host.startswith("example.com") (bypass via example.com.attacker.tld)

6. Normalize before comparison:

7. lower-case host
8. remove trailing dot
9. reject userinfo (user@host) surprises

10. consider punycode/IDN (xn--…) handling

11. Don’t forget redirects:

12. validate the final destination (and ideally each hop)

13. cap redirect depth

14. Prefer human-in-the-loop for cross-domain fetches.

Status¶

GitHub’s advisory notes that users on standard auto-update have received the fix.

References¶

• GitHub Advisory Database: https://github.com/advisories/GHSA-vhw5-3g5m-8ggf
• Upstream advisory: https://github.com/anthropics/claude-code/security/advisories/GHSA-vhw5-3g5m-8ggf