Audit your pre-approved fetch domains for user-uploadable content (CVE-2026-54316)
GitLab Advisory Database·high signal
CVE-2026-54316 covers out-of-band data exfiltration from Claude Code via a pre-approved HuggingFace domain in WebFetch. The lesson generalizes past this one CVE: any domain on a static allowlist that lets third parties host arbitrary content becomes a legal exfiltration endpoint. Audit allowlists by asking 'can an attacker put a file here?' rather than 'is this vendor reputable?'