What happened
Microsoft disclosed CVE-2026-40376 on June 9, 2026 as part of Patch Tuesday, fixed in VS Code 1.119.1. Improper input validation in Visual Studio Code's Model Context Protocol (MCP) server integration allows an unauthenticated network attacker — with user interaction — to gain the permissions associated with an MCP Server's managed identity. CVSS 3.1 base score is 7.5 (AV:N/AC:H/PR:N/UI:R). Microsoft rates exploitation as less likely; no public exploit or in-the-wild exploitation reported at disclosure.
Why it matters
VS Code is the dominant IDE for AI developers and is increasingly used as a broker between developers, AI coding agents (GitHub Copilot, Claude Code extensions, Cursor), cloud identities, and MCP tool servers. A managed identity represents a concentrated blast radius — it grants access to cloud resources (Azure, GCP, AWS) scoped to the MCP server without requiring stored credentials. An attacker who obtains managed identity permissions could read secrets, invoke cloud AI services, access vector databases, or pivot into AI workload infrastructure. This is a direct MCP-surface vulnerability in the world's most-used AI development environment.
Attack vector
Network-reachable attack requiring no prior privileges but requiring user interaction; exploits improper input validation at the MCP server boundary to impersonate or inherit the managed identity assigned to the MCP Server process
Affected systems
Microsoft Visual Studio Code < 1.119.1 (all platforms: Windows, macOS, Linux) when MCP Server integrations with managed identities are configured
Mitigation
Update VS Code to version 1.119.1 or later. Audit all MCP Server integrations and review managed identity scope assignments — apply least-privilege to MCP server identities. MSRC advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40376