Skip to main content

GitHub Copilot Chat CVE-2026-50519

| EUVDEUVD-2026-38089 HIGH
Initialization of a Resource with an Insecure Default (CWE-1188)
2026-06-19 secure@microsoft.com GHSA-2gq4-362c-56w9
7.5
CVSS 3.1 · NVD
Temporal: 5.7
Share

Severity by source

Vendor (microsoft) PRIMARY
MEDIUM
qualitative
NVD
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CIRCL (temporal)
5.7 MEDIUM
cvss
vuln.today AI
7.5 HIGH

Insecure default exposes a network-reachable resource needing no auth or interaction (AV:N/AC:L/PR:N/UI:N); impact is confidentiality-only disclosure (C:H/I:N/A:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

7
Analysis Updated
Jun 29, 2026 - 15:27 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 29, 2026 - 15:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 29, 2026 - 15:22 vuln.today
cvss_changed
Severity Changed
Jun 29, 2026 - 15:22 NVD
MEDIUM HIGH
CVSS changed
Jun 29, 2026 - 15:22 NVD
6.5 (MEDIUM) 7.5 (HIGH)
Patch available
Jun 19, 2026 - 23:17 EUVD
Analysis Generated
Jun 19, 2026 - 21:54 vuln.today

DescriptionNVD

Initialization of a resource with an insecure default in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to disclose information over a network.

AnalysisAI

Information disclosure in GitHub Copilot Chat for Visual Studio Code (versions 1.0.0 up to but not including 1.123.2) lets a remote, unauthenticated attacker read sensitive data over a network because an insecure default configuration exposes a resource that should be protected. The CVSS 3.1 score of 7.5 reflects high confidentiality impact with no integrity or availability effect. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach developer endpoint over network
Delivery
Send request to insecure default resource
Exploit
Bypass missing access control
Execution
Read exposed confidential data
Impact
Exfiltrate disclosed information

Vulnerability AssessmentAI

Exploitation Exploitation requires that a victim be running a vulnerable GitHub Copilot Chat extension (1.0.0 through any version below 1.123.2) inside Visual Studio Code, with the affected resource left at its insecure default initialization state, and that the attacker can reach the exposed resource over the network. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and lean toward moderate priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker positioned on the same network as a developer running a vulnerable Copilot Chat version sends crafted requests to the insecurely-initialized resource exposed by the extension and retrieves confidential data without any authentication or user interaction. Because the CVSS vector is AV:N/AC:L/PR:N/UI:N, the request requires no special privileges, no victim action, and only low attack complexity. …
Remediation Vendor-released patch: GitHub Copilot Chat 1.123.2 - upgrade the extension to 1.123.2 or later, which falls outside the affected '<1.123.2' range; in Visual Studio Code this is done through the Extensions pane or by enabling automatic extension updates so the fix rolls out across endpoints. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all developers with GitHub Copilot Chat versions 1.0.0 through 1.123.1 installed. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-50519 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy