Skip to main content

Roslyn CodeLens MCP CVE-2026-45555

| EUVDEUVD-2026-33302 HIGH
Code Injection (CWE-94)
2026-05-29 GitHub_M
7.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
May 29, 2026 - 15:01 EUVD
Analysis Generated
May 29, 2026 - 14:21 vuln.today

DescriptionGitHub Advisory

Roslyn CodeLens MCP Server is a Roslyn-based MCP server providing semantic code intelligence for .NET codebases. From 0.0.9 to 1.17.0, the get_diagnostics MCP tool loads and executes all DiagnosticAnalyzer assemblies referenced by the target solution without any allowlist, signature check, or user confirmation; includeAnalyzers defaults to true, so no explicit opt-in is required. An attacker who can place a malicious .csproj referencing an attacker-controlled DLL in a location the victim opens with the MCP server will achieve arbitrary code execution in the server process with the server's OS privileges. This vulnerability is fixed in 1.17.0.

AnalysisAI

Arbitrary code execution in Roslyn CodeLens MCP Server versions 0.0.9 through 1.17.0 allows attackers to run code in the MCP server process by tricking a victim into opening a malicious .NET solution. The get_diagnostics tool automatically loads and executes any DiagnosticAnalyzer DLL referenced by a .csproj without allowlist, signature validation, or user prompt, and includeAnalyzers defaults to true. No public exploit identified at time of analysis, but the attack pattern (malicious project file + attacker-controlled DLL) is well understood and trivial to weaponize.

Technical ContextAI

Roslyn is Microsoft's open-source .NET compiler platform; it allows third-party DiagnosticAnalyzer assemblies to be referenced from a project (.csproj) and loaded into the compilation pipeline to surface custom warnings and code intelligence. The Model Context Protocol (MCP) is an emerging standard for exposing tools and data to LLM-driven agents, and this server bridges Roslyn diagnostics into that ecosystem. The vulnerability is rooted in CWE-94 (Improper Control of Generation of Code) because the get_diagnostics tool treats analyzer DLL references in untrusted .csproj files as trusted code to execute in-process. CPE cpe:2.3:a:marcelroozekrans:roslyn-codelens-mcp identifies the single affected implementation.

RemediationAI

Vendor-released patch: upgrade to Roslyn CodeLens MCP Server 1.17.0 or later, per the GitHub Security Advisory at https://github.com/MarcelRoozekrans/roslyn-codelens-mcp/security/advisories/GHSA-552p-8f74-6x7q. If an immediate upgrade is not possible, invoke get_diagnostics with includeAnalyzers explicitly set to false to suppress analyzer loading (trade-off: you lose custom analyzer diagnostics from the response). As a structural workaround, only point the MCP server at solutions from trusted sources and avoid opening freshly cloned third-party repositories until upgraded; running the MCP server under a least-privileged OS account or inside a sandbox/container limits the blast radius of any analyzer DLL execution but does not prevent it.

Share

CVE-2026-45555 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy