SCA: security update for @anthropic-ai/claude-code (GHSA-vhw5-3g5m-8ggf)

high Tenable Cloud Security Plugin ID 437513

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Claude Code is an agentic coding tool. Prior to version 1.0.111, Claude Code contained insufficient URL
validation in its trusted domain verification mechanism for WebFetch requests. The application used a
startsWith() function to validate trusted domains (e.g., docs.python.org, modelcontextprotocol.io), this
could have enabled attackers to register domains like modelcontextprotocol.io.example.com that would pass
validation. This could enable automatic requests to attacker-controlled domains without user consent,
potentially leading to data exfiltration. This issue has been patched in version 1.0.111. (CVE-2026-24052)

See Also

https://github.com/advisories/GHSA-vhw5-3g5m-8ggf

Plugin Details

Severity: High

ID: 437513

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 2/4/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.3

Percentile: 51.27

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2026-24052

CVSS v3

Risk Factor: High

Base Score: 7.4

Temporal Score: 6.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 7.1

Threat Score: 4.9

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 2/3/2026

Vulnerability Publication Date: 2/3/2026

Reference Information

CVE: CVE-2026-24052

cwe: CWE-601