Skip to main content

Visual Studio Code CVE-2026-47281

| EUVDEUVD-2026-35573 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-06-09 secure@microsoft.com GHSA-rgv4-j5p6-g338
9.6
CVSS 3.1 · Vendor: microsoft
Temporal: 8.3
Share

Severity by source

Vendor (microsoft) PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
8.3 HIGH
cvss

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 17:58 vuln.today

DescriptionCVE.org

Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.

AnalysisAI

Privilege escalation in Microsoft Visual Studio Code allows remote unauthenticated attackers to elevate privileges over a network when a victim performs a required interaction, due to improper input validation classified as missing authentication (CWE-306). The flaw carries a critical CVSS 9.6 score with scope change, meaning a successful attack impacts resources beyond the vulnerable component. No public exploit identified at time of analysis, but the user-interaction trigger combined with VS Code's massive developer install base makes this a notable supply-chain-adjacent risk.

Technical ContextAI

Visual Studio Code is Microsoft's cross-platform code editor built on Electron, embedding Chromium and Node.js, and supports extensions, remote development, and various URI handlers (vscode://, vscode-insiders://) that can deep-link into the editor. The root cause is CWE-306 (Missing Authentication for Critical Function), which in this context - combined with the 'Authentication Bypass' tag and AV:N attack vector - indicates that a network-reachable code path inside VS Code accepts attacker-controlled input without verifying caller identity or trust boundaries. The scope-changed CVSS vector (S:C) suggests the vulnerable component's authorization boundary is crossed, allowing impact on the host operating system or other components beyond the editor process itself.

RemediationAI

Patch available per vendor advisory - consult the Microsoft Security Response Center page at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47281 to identify the exact fixed VS Code build and apply the update across developer workstations; enabling VS Code's auto-update channel is the most reliable path. As compensating controls until patching is complete, disable or unregister the vscode:// and vscode-insiders:// URI handlers at the OS level to break the network-delivered click-through attack path (side effect: breaks legitimate deep links from documentation and GitHub 'Open in VS Code' buttons), block opening workspaces and folders from untrusted sources by enforcing Workspace Trust and disabling 'Trust workspace' prompts via policy, and restrict installation of marketplace extensions to an allowlist via the extensions.allowed setting. Network-egress filtering alone will not mitigate this since attacks are likely delivered via web content the user already trusts to render.

CVE-2022-41034 HIGH POC
7.8 Oct 11

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authent

CVE-2022-30129 HIGH POC
8.8 May 10

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely e

CVE-2026-57102 HIGH
8.8 Jul 14

Security-feature bypass in Microsoft Visual Studio Code lets a remote attacker deliver functionality from an untrusted c

CVE-2026-41109 HIGH
8.8 May 12

Improper neutralization of special elements in output used by a downstream component ('injection') in GitHub Copilot and

CVE-2024-43488 CRITICAL
9.8 Oct 08

Missing authentication for critical function in Visual Studio Code extension for Arduino allows an unauthenticated attac

CVE-2026-50520 HIGH
8.4 Jul 14

Local code execution in Microsoft Visual Studio Code stems from a command injection flaw (CWE-77) that lets an attacker

CVE-2026-45482 HIGH
8.4 Jun 09

Security feature bypass via path traversal in GitHub Copilot and Visual Studio Code allows a local unauthorized attacker

CVE-2026-40376 HIGH
8.1 Jun 09

Privilege escalation in Microsoft Visual Studio Code versions 1.0.0 through 1.119.0 allows remote unauthenticated attack

CVE-2026-47292 HIGH
7.8 Jun 09

Local privilege elevation in Microsoft Visual Studio Code allows an unprivileged attacker to gain higher privileges on a

CVE-2026-41611 HIGH
7.8 May 12

Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthoriz

CVE-2026-21518 HIGH
8.8 Feb 10

GitHub Copilot and Visual Studio Code are vulnerable to command injection attacks that allow unauthenticated attackers t

CVE-2024-26165 HIGH
8.8 Mar 12

Visual Studio Code Elevation of Privilege Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely

Share

CVE-2026-47281 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy