Skip to main content

CVE-2026-30304

| EUVDEUVD-2026-16602 CRITICAL
Improper Input Validation (CWE-20)
2026-03-27 mitre
9.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 27, 2026 - 14:30 euvd
EUVD-2026-16602
Analysis Generated
Mar 27, 2026 - 14:30 vuln.today
CVE Published
Mar 27, 2026 - 00:00 nvd
CRITICAL 9.6

DescriptionCVE.org

In its design for automatic terminal command execution, AI Code offers two options: Execute safe commands and execute all commands. The description for the former states that commands determined by the model to be safe will be automatically executed, whereas if the model judges a command to be potentially destructive, it still requires user approval. However, this design is highly susceptible to prompt injection attacks. An attacker can employ a generic template to wrap any malicious command and mislead the model into misclassifying it as a 'safe' command, thereby bypassing the user approval requirement and resulting in arbitrary command execution.

AnalysisAI

Prompt injection attacks in AI Code's automatic command execution feature allow remote attackers to bypass the model-based safety classification system and achieve arbitrary command execution without user approval. The vulnerability affects AI Code extensions (notably the Claude Dev China variant available on the Visual Studio Code Marketplace) by exploiting the model's susceptibility to crafted prompts that misclassify destructive commands as safe. No public exploit code or confirmed active exploitation has been identified at the time of analysis, but the attack requires no authentication and can be triggered by any user with access to the extension's command execution interface.

Technical ContextAI

AI Code implements a two-tier command execution policy: safe commands are executed automatically based on model classification, while potentially destructive commands require explicit user approval. This design relies on a large language model's judgment to distinguish between command categories. The vulnerability class relates to prompt injection attacks (a form of input validation bypass) combined with insecure design reliance on model behavior for security-critical decisions. The affected technology is a Visual Studio Code extension that integrates with language models (specifically Claude-based models per the marketplace reference) to generate and execute terminal commands. The root cause is the assumption that an LLM can reliably and consistently classify command safety in the presence of adversarially crafted prompts, without secondary validation mechanisms or sandboxing. This is a systemic weakness in treating LLM outputs as a security boundary rather than as user-generated content that requires validation.

RemediationAI

Immediate remediation for users: disable the automatic command execution feature and switch to the "execute all commands" mode only with explicit user approval for each command, or uninstall the extension if automatic execution cannot be avoided. For organizations: restrict installation of AI Code and similar LLM-integrated code execution tools via organization policies within Visual Studio Code or Intune/endpoint management. Longer-term remediation requires vendor action: the extension maintainers should redesign the safety classification mechanism to avoid reliance on LLM judgment as a security control. Recommended improvements include sandboxing command execution, implementing command whitelisting, adding secondary validation steps that do not depend on model output, and conducting security review of the prompt templates used for command classification. Users should monitor the GitHub issue (Secsys-FDU/LLM-Tool-Calling-CVEs/issues/2) and the Visual Studio Marketplace extension page for security updates. No vendor-released patch is identified in available data at this time.

Share

CVE-2026-30304 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy