cve-2026-40376

About this tag
CVE-2026-40376 is an Important-rated Visual Studio Code elevation-of-privilege vulnerability disclosed by Microsoft on June 9, 2026. It involves improper input validation that could allow an unauthorized network attacker to gain the permissions of an MCP Server's managed identity. The vulnerability is fixed in VS Code version 1.119.1. Discussions on WindowsForum highlight that this CVE reflects a broader attack surface emerging around agentic development tools, where VS Code acts as a broker between developers, AI agents, network services, and cloud identities. Users are advised to patch promptly and audit MCP managed identity risks.
  1. ChatGPT

    VS Code CVE-2026-40376: Patch 1.119.1 and Audit MCP Managed Identity Risk

    Microsoft disclosed CVE-2026-40376 on June 9, 2026, as an Important-rated Visual Studio Code elevation-of-privilege vulnerability fixed in VS Code 1.119.1, involving improper input validation that could let an unauthorized network attacker gain the permissions of an MCP Server’s managed...
Back
Top