Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Local code execution in an IDE plugin needs no privileges but requires the developer to open/trigger malicious content, so AV:L, PR:N, UI:R with full CIA impact in the user's session.
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Improper restriction of names for files and other resources in Github Copilot allows an unauthorized attacker to execute code locally.
AnalysisAI
Local code execution in the GitHub Copilot plugin for JetBrains IDEs allows an unauthorized attacker to run arbitrary code on a developer's machine by leveraging improper restriction of file/resource names (CWE-641), with exploitation requiring the victim to perform an action (UI:R). Rated CVSS 7.8 (high) with full confidentiality, integrity, and availability impact, this is a local-vector flaw affecting developers running the Copilot extension; no public exploit identified at time of analysis and it is not listed in CISA KEV. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local delivery plus victim interaction: the attacker must get the developer to open or process attacker-influenced content (e.g., a malicious project, file, or resource) in a JetBrains IDE running the vulnerable GitHub Copilot plugin, and the developer must perform the triggering Copilot action (CVSS UI:R). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, score 7.8) describes a local attack that requires no privileges but does require user interaction, yielding high impact across all three security properties - consistent with local code execution in a developer tool. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious repository or file whose contents cause the Copilot JetBrains plugin to resolve an improperly restricted file/resource name when the developer opens or interacts with it. When the victim opens the project and triggers the affected Copilot action (UI:R), the plugin resolves the crafted name to an attacker-controlled resource and executes code in the developer's local session. … |
| Remediation | Patch available per vendor advisory: update the GitHub Copilot plugin for JetBrains IDEs to the fixed version published by Microsoft, following https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50510 (the exact fixed build is not stated in the available data - confirm it in the MSRC advisory and via the JetBrains Marketplace). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all JetBrains IDE installations with the GitHub Copilot plugin enabled and notify affected developers of the vulnerability. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44116
GHSA-hjgg-v5cf-x59v