CVE Catalog

CVE-2026-54316

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.42%

33th percentile — higher than 33% of all known CVEs

Summary

A vulnerability in Claude Code (versions 0.2.54 to 2.1.163) auto-approves WebFetch requests to huggingface.co without a permission prompt or --allowedTools restrictions. An attacker can exploit this to send requests to attacker-controlled repositories, creating a covert channel for data exfiltration.

Risk Assessment

The risk involves potential theft of files, environment variables, or command output by an attacker who can inject untrusted content into the Claude Code context. This could lead to leakage of sensitive organizational data.

Recommendation

Immediately update Claude Code to version 2.1.163 or later. Additionally, restrict WebFetch tool access and enforce strict --allowedTools rules.

Original NVD description (English source)

Claude Code is an agentic coding tool. From 0.2.54 until 2.1.163, because the hostname huggingface.co was pre-approved as a bare hostname for the WebFetch tool, any path on that domain—including attacker-controlled model repositories—was auto-approved without a permission prompt or being subject to --allowedTools restrictions. An attacker able to inject untrusted content into a Claude Code context could direct it to issue WebFetch requests against attacker-controlled repository files (e.g. /resolve/main/config.json), which HuggingFace counts as downloads server-side, creating a covert out-of-band channel for encoding and exfiltrating data Claude can access such as files, environment variables, or command output. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. This vulnerability is fixed in 2.1.163.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS