CVE-2026-54316: Claude Code — MEDIUM

Q: Is CVE-2026-54316 actively exploited?

No confirmed active exploitation of CVE-2026-54316 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-54316?

Update to patched version: Claude Code 2.1.163.

Q: What is the CVSS score for CVE-2026-54316?

No CVSS score has been assigned yet.

Because the hostname huggingface.co was pre-approved as a bare hostname for the WebFetch tool, any path on that domain—including attacker-controlled model repositories—was auto-approved without a permission prompt or being subject to --allowedTools restrictions. An attacker able to inject untrusted...

Full CISO analysis pending enrichment.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Claude Code	npm	>= 0.2.54, < 2.1.163	`2.1.163`
132.3K Pushed 4d ago 43% patched ~4d to patch Full package profile →

Do you use Claude Code? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

0.0%

chance of exploitation in 30 days

Higher than 14% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

N/A

What should I do?

Patch available

Update Claude Code to version 2.1.163

Which compliance frameworks are affected?

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2026-54316?

Because the hostname huggingface.co was pre-approved as a bare hostname for the WebFetch tool, any path on that domain—including attacker-controlled model repositories—was auto-approved without a permission prompt or being subject to --allowedTools restrictions. An attacker able to inject untrusted content into a Claude Code context could direct it to issue WebFetch requests against attacker-controlled repository files (e.g. /resolve/main/config.json), which HuggingFace counts as downloads server-side, creating a covert out-of-band channel for encoding and exfiltrating data Claude can access such as files, environment variables, or command output. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. Users on standard Claude Code auto-update have received this fix already; users performing manual updates are advised to update to the latest version. Thank you to hackerone.com/novee for reporting this issue.

Is CVE-2026-54316 actively exploited?

No confirmed active exploitation of CVE-2026-54316 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-54316?

Update to patched version: Claude Code 2.1.163.

What is the CVSS score for CVE-2026-54316?

No CVSS score has been assigned yet.

What are the technical details?

Original Advisory

Because the hostname huggingface.co was pre-approved as a bare hostname for the WebFetch tool, any path on that domain—including attacker-controlled model repositories—was auto-approved without a permission prompt or being subject to --allowedTools restrictions. An attacker able to inject untrusted content into a Claude Code context could direct it to issue WebFetch requests against attacker-controlled repository files (e.g. /resolve/main/config.json), which HuggingFace counts as downloads server-side, creating a covert out-of-band channel for encoding and exfiltrating data Claude can access such as files, environment variables, or command output. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. Users on standard Claude Code auto-update have received this fix already; users performing manual updates are advised to update to the latest version. Thank you to hackerone.com/novee for reporting this issue.

Weaknesses (CWE)

CWE-183 Permissive List of Allowed Inputs Primary CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Primary CWE-515 Covert Storage Channel Primary

CWE-183 — Permissive List of Allowed Inputs: The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.

Source: MITRE CWE corpus.