Skip to main content

GitHub Copilot CVE-2026-50510

| EUVDEUVD-2026-44116 HIGH
Improper Restriction of Names for Files and Other Resources (CWE-641)
2026-07-14 microsoft GHSA-hjgg-v5cf-x59v
7.8
CVSS 3.1 · Vendor: microsoft
Share

Severity by source

Vendor (microsoft) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local code execution in an IDE plugin needs no privileges but requires the developer to open/trigger malicious content, so AV:L, PR:N, UI:R with full CIA impact in the user's session.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 19:50 vuln.today
CVE Published
Jul 14, 2026 - 17:08 nvd
HIGH 7.8

DescriptionCVE.org

Improper restriction of names for files and other resources in Github Copilot allows an unauthorized attacker to execute code locally.

AnalysisAI

Local code execution in the GitHub Copilot plugin for JetBrains IDEs allows an unauthorized attacker to run arbitrary code on a developer's machine by leveraging improper restriction of file/resource names (CWE-641), with exploitation requiring the victim to perform an action (UI:R). Rated CVSS 7.8 (high) with full confidentiality, integrity, and availability impact, this is a local-vector flaw affecting developers running the Copilot extension; no public exploit identified at time of analysis and it is not listed in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious project/file with unsafe resource name
Delivery
Deliver to developer (repo, download, share)
Exploit
Victim opens/triggers Copilot action in JetBrains IDE
Execution
Plugin resolves improperly restricted name
Impact
Execute arbitrary code in developer session

Vulnerability AssessmentAI

Exploitation Exploitation requires local delivery plus victim interaction: the attacker must get the developer to open or process attacker-influenced content (e.g., a malicious project, file, or resource) in a JetBrains IDE running the vulnerable GitHub Copilot plugin, and the developer must perform the triggering Copilot action (CVSS UI:R). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, score 7.8) describes a local attack that requires no privileges but does require user interaction, yielding high impact across all three security properties - consistent with local code execution in a developer tool. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious repository or file whose contents cause the Copilot JetBrains plugin to resolve an improperly restricted file/resource name when the developer opens or interacts with it. When the victim opens the project and triggers the affected Copilot action (UI:R), the plugin resolves the crafted name to an attacker-controlled resource and executes code in the developer's local session. …
Remediation Patch available per vendor advisory: update the GitHub Copilot plugin for JetBrains IDEs to the fixed version published by Microsoft, following https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50510 (the exact fixed build is not stated in the available data - confirm it in the MSRC advisory and via the JetBrains Marketplace). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all JetBrains IDE installations with the GitHub Copilot plugin enabled and notify affected developers of the vulnerability. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-50510 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy