Zero Day MonitorZDM

← Back to list

7.5

CVE-2026-54316EXPLOITEDPATCHED

anthropic · claude code

Claude Code: Out-of-Band Data Exfiltration via Pre-Approved HuggingFace Domain in WebFetch

Description

Claude Code is an agentic coding tool. From 0.2.54 until 2.1.163, because the hostname huggingface.co was pre-approved as a bare hostname for the WebFetch tool, any path on that domain—including attacker-controlled model repositories—was auto-approved without a permission prompt or being subject to --allowedTools restrictions. An attacker able to inject untrusted content into a Claude Code context could direct it to issue WebFetch requests against attacker-controlled repository files (e.g. /resolve/main/config.json), which HuggingFace counts as downloads server-side, creating a covert out-of-band channel for encoding and exfiltrating data Claude can access such as files, environment variables, or command output. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. This vulnerability is fixed in 2.1.163.

Affected Products

Vendor	Product	Versions
anthropic	claude code	>= 0.2.54, < 2.1.163

References

https://github.com/anthropics/claude-code/security/advisories/GHSA-fg94-h982-f3mm(x_refsource_CONFIRM)

Related News (1 articles)

Tier C

VulDB4d ago

CVE-2026-54316 | Anthropic claude-code up to 2.1.162 permissive list of allowed inputs (GHSA-fg94-h982-f3mm)

→ No new info (linked only)

CVSS 3.17.5 HIGH

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

@anthropic-ai/claude-code@2.1.163

CWECWE-183, CWE-200, CWE-515

PublishedJun 17, 2026

Last enriched4d agov2

Tags

GHSA-fg94-h982-f3mmnpm

Trending Score24

Source articles1

Independent1

Info Completeness10/14

Missing: epss, kev, exploit, iocs

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-7574

Anthropic Claude Desktop Cowork VM Image Contents Not Validated Before Use

Anthropic's Fable 5 Model Jailbroken

MEDIUMCVE-2026-46406

@anthropic-ai/claude-code has an Insecure Temporary File in /copy Command that Enables Response Disclosure and Symlink-Based File Write

HIGHCVE-2026-40068

Claude Code arbitrary code execution via git worktree commondir trust dialog bypass

NONECVE-2026-35022EXP

Anthropic Claude Code & Agent SDK OS Command Injection via Authentication Helper

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Jun 17, 2026

Discovered by ZDM

Jun 17, 2026

Actively Exploited

Jun 23, 2026

Patch Available

Jun 23, 2026

Updated: severity, cvssEstimate, activelyExploited, mitreAttack

Jun 23, 2026

Version History

v2

Last enriched 4d ago

v2Tier C4d ago

Updated severity to HIGH, added CVSS estimate of 7.5, marked as actively exploited, and added MITRE ATT&CK technique T1203.

severitycvssEstimateactivelyExploitedmitreAttack

via VulDB

v110d ago

Initial creation