CVE-2026-54316

Summary

Claude Code is an agentic coding tool. From 0.2.54 until 2.1.163, because the hostname huggingface.co was pre-approved as a bare hostname for the WebFetch tool, any path on that domain—including attacker-controlled model repositories—was auto-approved without a permission prompt or being subject to –allowedTools restrictions. An attacker able to inject untrusted content into a Claude Code context could direct it to issue WebFetch requests against attacker-controlled repository files (e.g. /resolve/main/config.json), which HuggingFace counts as downloads server-side, creating a covert out-of-band channel for encoding and exfiltrating data Claude can access such as files, environment variables, or command output. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. This vulnerability is fixed in 2.1.163.

Affected Software

VendorProductVersion RangeStatus
anthropicsclaude-code>= 0.2.54, < 2.1.163affected

Weaknesses

  • CWE-183: CWE-183: Permissive List of Allowed Inputs
  • CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
  • CWE-515: CWE-515: Covert Storage Channel

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References