{"id":"CVE-2026-54316","summary":"Claude Code: Out-of-Band Data Exfiltration via Pre-Approved HuggingFace Domain in WebFetch","details":"Claude Code is an agentic coding tool.  From 0.2.54 until 2.1.163, because the hostname huggingface.co was pre-approved as a bare hostname for the WebFetch tool, any path on that domain—including attacker-controlled model repositories—was auto-approved without a permission prompt or being subject to --allowedTools restrictions. An attacker able to inject untrusted content into a Claude Code context could direct it to issue WebFetch requests against attacker-controlled repository files (e.g. /resolve/main/config.json), which HuggingFace counts as downloads server-side, creating a covert out-of-band channel for encoding and exfiltrating data Claude can access such as files, environment variables, or command output. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. This vulnerability is fixed in 2.1.163.","aliases":["GHSA-fg94-h982-f3mm"],"modified":"2026-07-08T08:13:44.936462223Z","published":"2026-06-23T17:06:16.184Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54316.json","cwe_ids":["CWE-183","CWE-200","CWE-515"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54316.json"},{"type":"ADVISORY","url":"https://github.com/anthropics/claude-code/security/advisories/GHSA-fg94-h982-f3mm"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-54316"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/anthropics/claude-code","events":[{"introduced":"0"},{"fixed":"d1e174252d0af47174bd9fbdec6abb092b49226a"}],"database_specific":{"extracted_events":[{"introduced":"0.2.54"},{"fixed":"2.1.163"}],"source":["AFFECTED_FIELD","CPE_RANGE"],"cpe":"cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:*"}}],"versions":["v2.1.162","v2.1.161","v2.1.160","v2.1.159","v2.1.158","v2.1.157","v2.1.156","v2.1.154","v2.1.153","v2.1.152","v2.1.150","v2.1.149","v2.1.148","v2.1.147","v2.1.146","v2.1.145","v2.1.144","v2.1.143","v2.1.142","v2.1.141","v2.1.140","v2.1.139","v2.1.138","v2.1.137","v2.1.136","v2.1.133","v2.1.132","v2.1.131","v2.1.129","v2.1.128","v2.1.126","v2.1.123","v2.1.122","v2.1.121","v2.1.120","v2.1.119","v2.1.118","v2.1.117","v2.1.116","v2.1.114","v2.1.113","v2.1.112","v2.1.111","v2.1.110","v2.1.109","v2.1.108","v2.1.107","v2.1.105","v2.1.104","v2.1.101","v2.1.98","v2.1.100","v2.1.97","v2.1.96","v2.1.94","v2.1.92","v2.1.91","v2.1.90","v2.1.89","v2.1.88","v2.1.87","v2.1.86","v2.1.85","v2.1.84","v2.1.83","v2.1.81","v2.1.80","v2.1.79","v2.1.78","v2.1.77","v2.1.76","v2.1.75","v2.1.74","v2.1.73","v2.1.72","v2.1.71","v2.1.70","v2.1.69","v2.1.68","v2.1.66","v2.1.63","v2.1.62","v2.1.61","v2.1.59","v2.1.58","v2.1.56","v2.1.55","v2.1.53","v2.1.52","v2.1.51","v2.1.50","v2.1.49","v2.1.47","v2.1.45","v2.1.44","v2.1.42","v2.1.41","v2.1.39","v2.1.38","v2.1.37","v2.1.36","v2.1.34","v2.1.33","v2.1.32","v2.1.31","v2.1.30","v2.1.29","v2.1.12","v2.1.27","v2.1.25","v2.1.23","v2.1.22","v2.1.21","v2.1.20","v2.1.19","v2.1.17","v2.1.16","v2.1.15","v2.1.14","v2.1.11","v2.1.9","v2.1.7","v2.1.6","v2.1.5","v2.1.4","v2.1.3","v2.1.2","v2.1.1","v2.0.76","v2.1.0","v2.0.74","v2.0.73"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54316.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"}]}