CVE-2026-24052 is an open redirect vulnerability classified under CWE-601 found in anthropics' Claude Code, an agentic coding tool designed to automate coding tasks. The vulnerability exists in versions prior to 1.0.111 due to insufficient validation of URLs in the trusted domain verification mechanism for WebFetch requests. Specifically, the application uses a simplistic startsWith() function to verify if a URL belongs to a trusted domain such as docs.python.org or modelcontextprotocol.io. This approach is flawed because it allows attacker-controlled domains that prepend the trusted domain as a subdomain suffix (e.g., modelcontextprotocol.io.example.com) to pass validation. Consequently, the application may automatically send requests to these malicious domains without explicit user consent. This behavior can be exploited to exfiltrate sensitive data or perform other malicious activities by redirecting traffic to attacker-controlled endpoints. The vulnerability does not require any authentication or privileges, but exploitation requires user interaction to trigger the WebFetch request. The CVSS v4.0 score is 7.1 (high severity), reflecting the network attack vector, low attack complexity, no privileges required, but user interaction needed, and high impact on confidentiality. The issue was publicly disclosed on February 3, 2026, and has been patched in version 1.0.111 of Claude Code. No known exploits have been reported in the wild to date.

For European organizations, this vulnerability poses a significant risk especially for those leveraging Claude Code in their software development or automation workflows. The automatic redirection to attacker-controlled domains can lead to unauthorized data exfiltration, potentially exposing sensitive intellectual property, credentials, or internal API data. This can undermine confidentiality and trust in automated coding tools. Given the high adoption of advanced coding assistants in European tech hubs, the risk of targeted exploitation is non-trivial. Additionally, organizations in regulated sectors such as finance, healthcare, and critical infrastructure may face compliance and reputational damage if sensitive data is leaked. The requirement for user interaction means phishing or social engineering could be used to trigger the exploit, increasing the attack surface. Although no active exploits are known, the vulnerability's characteristics make it a likely candidate for future exploitation, especially as attackers craft sophisticated supply chain or development environment attacks.

European organizations using Claude Code should immediately upgrade to version 1.0.111 or later, where the vulnerability has been patched. Until upgrading is possible, organizations should implement strict network egress filtering to restrict WebFetch requests to only verified and necessary domains, preventing connections to suspicious subdomains. Security teams should audit and monitor WebFetch usage logs for anomalous or unexpected outbound requests. User training should emphasize caution when interacting with automated tools that perform network requests, highlighting the risk of open redirects. Additionally, organizations can implement runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect and block suspicious URL patterns resembling subdomain spoofing. Finally, integrating URL validation libraries that perform exact domain matching rather than prefix checks can prevent similar vulnerabilities in custom tools.