CVE-2026-24052 is an open redirect vulnerability classified under CWE-601 affecting anthropics' Claude Code, an agentic coding tool designed to automate coding tasks. The vulnerability stems from insufficient URL validation in the trusted domain verification mechanism used for WebFetch requests. Specifically, the application used a naive startsWith() function to verify if a URL belonged to a trusted domain such as docs.python.org or modelcontextprotocol.io. This approach allowed attacker-controlled domains that prefix the trusted domain string, for example, modelcontextprotocol.io.example.com, to bypass validation checks. Consequently, the application could be tricked into making automatic HTTP requests to malicious domains without explicit user consent. Such behavior can lead to data exfiltration if sensitive information is included in these requests or responses. The vulnerability does not require any privileges or authentication but does require user interaction to trigger the WebFetch request. The CVSS 4.0 score of 7.1 reflects a high severity due to the network attack vector, low complexity, no privileges required, and high confidentiality impact. The issue was addressed and patched in Claude Code version 1.0.111 by improving the domain validation logic to correctly verify trusted domains and prevent prefix-based bypasses. No known exploits have been reported in the wild as of the publication date, but the vulnerability poses a significant risk if exploited.

For European organizations, this vulnerability could lead to unauthorized data exfiltration through automated requests to attacker-controlled domains, compromising sensitive coding or project data handled by Claude Code. Since Claude Code is an agentic coding tool, it may have access to proprietary source code, internal APIs, or confidential project information. Exploitation could result in leakage of intellectual property or sensitive development data, potentially damaging competitive advantage and violating data protection regulations such as GDPR. The automatic nature of the requests means that users might be unaware of the data leakage, increasing the risk of unnoticed breaches. Additionally, if attacker domains are used for phishing or malware delivery, it could further compromise organizational security. The requirement for user interaction limits mass exploitation but targeted attacks against developers or DevOps teams are plausible. The impact on availability and integrity is minimal, but confidentiality is significantly affected.

European organizations using Claude Code should immediately upgrade to version 1.0.111 or later where the vulnerability is patched. Until upgrade, restrict or monitor WebFetch requests made by Claude Code to untrusted domains through network-level controls such as web proxies or firewall rules that enforce domain whitelisting. Implement strict domain validation and URL filtering policies in internal tools and workflows that integrate with Claude Code. Educate developers and users about the risks of interacting with untrusted URLs or domains, especially those resembling trusted domains with additional prefixes or subdomains. Conduct regular code audits and penetration testing focusing on URL validation logic in agentic tools. Employ runtime monitoring to detect unusual outbound HTTP requests from Claude Code processes. Finally, maintain an incident response plan to quickly address any suspected data exfiltration events.