Detections
Analytics

Anthropic Claude Code 0.2.54 < 2.1.163 Data Exfiltration (CVE-2026-54316)

medium Nessus Plugin ID 322792

Synopsis

An application installed on the remote host is affected by a data exfiltration vulnerability.

Description

The version of Anthropic Claude Code installed on the remote host is 0.2.54 prior to 2.1.163. It is, therefore, affected by a data exfiltration vulnerability.

 - Because the hostname huggingface.co was pre-approved as a bare hostname for the WebFetch tool, any path on that domain including attacker-controlled model repositories was auto-approved without a permission prompt or being subject to --allowedTools restrictions.
 An attacker able to inject untrusted content into a Claude Code context could direct it to issue WebFetch requests against attacker-controlled repository files, which HuggingFace counts as downloads server-side, creating a covert out-of-band channel for encoding and exfiltrating data Claude can access such as files, environment variables, or command output. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. (CVE-2026-54316)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade Anthropic Claude Code to version 2.1.163 or later.

See Also

http://www.nessus.org/u?a8927a88

Plugin Details

Severity: Medium

ID: 322792

File Name: anthropic_claude_code_CVE-2026-54316.nasl

Version: 1.1

Type: Local

Agent: windows, macosx, unix

Family: Misc.

Published: 6/25/2026

Updated: 6/25/2026

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2026-54316

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4

Risk Factor: Medium

Base Score: 6

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

CPE: cpe:/a:anthropic:claude_code

Required KB Items: installed_sw/Anthropic Claude Code

Patch Publication Date: 6/13/2026

Vulnerability Publication Date: 6/13/2026

Reference Information

CVE: CVE-2026-54316