Description
Claude Code is an agentic coding tool. From 0.2.54 until 2.1.163, because the hostname huggingface.co was pre-approved as a bare hostname for the WebFetch tool, any path on that domain—including attacker-controlled model repositories—was auto-approved without a permission prompt or being subject to --allowedTools restrictions. An attacker able to inject untrusted content into a Claude Code context could direct it to issue WebFetch requests against attacker-controlled repository files (e.g. /resolve/main/config.json), which HuggingFace counts as downloads server-side, creating a covert out-of-band channel for encoding and exfiltrating data Claude can access such as files, environment variables, or command output. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. This vulnerability is fixed in 2.1.163.
Published: 2026-06-23
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Claude Code, versions 0.2.54 through 2.1.162, automatically trusts any request to huggingface.co as a pre‑approved hostname for its WebFetch tool. This means any path under that domain—including attacker‑controlled model repositories—was accepted without a permission prompt or tool restriction. An attacker who can inject untrusted content into a Claude Code context can instruct the agent to fetch files from attacker‑controlled HuggingFace repositories (for example, "/resolve/main/config.json"). HuggingFace records these fetched files as downloads on the server side, creating a covert out‑of‑band channel that Claude Code can use to exfiltrate data it has access to, such as local files, environment variables, or command output. The vulnerability relies on improper handling of hostnames (CWE‑183) and leads to information disclosure (CWE‑200) and potential data leakage via unintended file transfer (CWE‑515). Reliable exploitation requires a vector for injecting malicious content into a Claude Code session. The vulnerability is fixed in version 2.1.163.

Affected Systems

Anthropic’s Claude Code product, versions 0.2.54 up to and including 2.1.162, is affected.

Risk and Exploitability

The CVSS score of 6 indicates a moderate severity, while no EPSS data is available and the vulnerability is not listed in the CISA KEV catalog. The attack requires the ability to inject untrusted content into a Claude Code context, after which the tool will automatically issue WebFetch requests to any path on huggingface.co. Exploitation could allow an attacker to exfiltrate data from the host executing Claude Code, but it is dependent on the presence of such injection vectors.

Generated by OpenCVE AI on June 24, 2026 at 10:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Claude Code to version 2.1.163 or later to remove the pre‑approved huggingface.co web fetch behavior.
  • Restrict the WebFetch tool to an allow list of trusted domains or disable it if not required for your use case.
  • Ensure that user input used in Claude Code contexts is sanitized or that contexts are protected from injection of malicious content to prevent unauthorized WebFetch requests.

Generated by OpenCVE AI on June 24, 2026 at 10:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fg94-h982-f3mm Claude Code: Out-of-Band Data Exfiltration via Pre-Approved HuggingFace Domain in WebFetch
History

Tue, 23 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Anthropics
Anthropics claude Code
Vendors & Products Anthropics
Anthropics claude Code

Tue, 23 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Claude Code is an agentic coding tool. From 0.2.54 until 2.1.163, because the hostname huggingface.co was pre-approved as a bare hostname for the WebFetch tool, any path on that domain—including attacker-controlled model repositories—was auto-approved without a permission prompt or being subject to --allowedTools restrictions. An attacker able to inject untrusted content into a Claude Code context could direct it to issue WebFetch requests against attacker-controlled repository files (e.g. /resolve/main/config.json), which HuggingFace counts as downloads server-side, creating a covert out-of-band channel for encoding and exfiltrating data Claude can access such as files, environment variables, or command output. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. This vulnerability is fixed in 2.1.163.
Title Claude Code: Out-of-Band Data Exfiltration via Pre-Approved HuggingFace Domain in WebFetch
Weaknesses CWE-183
CWE-200
CWE-515
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Anthropics Claude Code
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T17:37:38.468Z

Reserved: 2026-06-12T18:42:02.223Z

Link: CVE-2026-54316

cve-icon Vulnrichment

Updated: 2026-06-23T17:37:34.873Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T11:00:13Z

Weaknesses
  • CWE-183

    Permissive List of Allowed Inputs

  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-515

    Covert Storage Channel