CVE-2026-54316

Source
https://cve.org/CVERecord?id=CVE-2026-54316
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54316.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-54316
Aliases
Downstream
Published
2026-06-23T17:06:16.184Z
Modified
2026-07-08T08:13:44.936462223Z
Severity
  • 6.0 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Claude Code: Out-of-Band Data Exfiltration via Pre-Approved HuggingFace Domain in WebFetch
Details

Claude Code is an agentic coding tool. From 0.2.54 until 2.1.163, because the hostname huggingface.co was pre-approved as a bare hostname for the WebFetch tool, any path on that domain—including attacker-controlled model repositories—was auto-approved without a permission prompt or being subject to --allowedTools restrictions. An attacker able to inject untrusted content into a Claude Code context could direct it to issue WebFetch requests against attacker-controlled repository files (e.g. /resolve/main/config.json), which HuggingFace counts as downloads server-side, creating a covert out-of-band channel for encoding and exfiltrating data Claude can access such as files, environment variables, or command output. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. This vulnerability is fixed in 2.1.163.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54316.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-183",
        "CWE-200",
        "CWE-515"
    ]
}
References

Affected packages

Git / github.com/anthropics/claude-code

Affected ranges

Type
GIT
Repo
https://github.com/anthropics/claude-code
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "cpe": "cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:*",
    "extracted_events": [
        {
            "introduced": "0.2.54"
        },
        {
            "fixed": "2.1.163"
        }
    ]
}

Affected versions

v2.*
v2.0.73
v2.0.74
v2.0.76
v2.1.0
v2.1.1
v2.1.100
v2.1.101
v2.1.104
v2.1.105
v2.1.107
v2.1.108
v2.1.109
v2.1.11
v2.1.110
v2.1.111
v2.1.112
v2.1.113
v2.1.114
v2.1.116
v2.1.117
v2.1.118
v2.1.119
v2.1.12
v2.1.120
v2.1.121
v2.1.122
v2.1.123
v2.1.126
v2.1.128
v2.1.129
v2.1.131
v2.1.132
v2.1.133
v2.1.136
v2.1.137
v2.1.138
v2.1.139
v2.1.14
v2.1.140
v2.1.141
v2.1.142
v2.1.143
v2.1.144
v2.1.145
v2.1.146
v2.1.147
v2.1.148
v2.1.149
v2.1.15
v2.1.150
v2.1.152
v2.1.153
v2.1.154
v2.1.156
v2.1.157
v2.1.158
v2.1.159
v2.1.16
v2.1.160
v2.1.161
v2.1.162
v2.1.17
v2.1.19
v2.1.2
v2.1.20
v2.1.21
v2.1.22
v2.1.23
v2.1.25
v2.1.27
v2.1.29
v2.1.3
v2.1.30
v2.1.31
v2.1.32
v2.1.33
v2.1.34
v2.1.36
v2.1.37
v2.1.38
v2.1.39
v2.1.4
v2.1.41
v2.1.42
v2.1.44
v2.1.45
v2.1.47
v2.1.49
v2.1.5
v2.1.50
v2.1.51
v2.1.52
v2.1.53
v2.1.55
v2.1.56
v2.1.58
v2.1.59
v2.1.6
v2.1.61
v2.1.62
v2.1.63
v2.1.66
v2.1.68
v2.1.69
v2.1.7
v2.1.70
v2.1.71
v2.1.72
v2.1.73
v2.1.74
v2.1.75
v2.1.76
v2.1.77
v2.1.78
v2.1.79
v2.1.80
v2.1.81
v2.1.83
v2.1.84
v2.1.85
v2.1.86
v2.1.87
v2.1.88
v2.1.89
v2.1.9
v2.1.90
v2.1.91
v2.1.92
v2.1.94
v2.1.96
v2.1.97
v2.1.98

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54316.json"