CVE-2026-45555
Description
Roslyn CodeLens MCP Server is a Roslyn-based MCP server providing semantic code intelligence for .NET codebases. From 0.0.9 to 1.17.0, the get_diagnostics MCP tool loads and executes all DiagnosticAnalyzer assemblies referenced by the target solution without any allowlist, signature check, or user confirmation; includeAnalyzers defaults to true, so no explicit opt-in is required. An attacker who can place a malicious .csproj referencing an attacker-controlled DLL in a location the victim opens with the MCP server will achieve arbitrary code execution in the server process with the server's OS privileges. This vulnerability is fixed in 1.17.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Roslyn CodeLens MCP Server before 1.17.0, the get_diagnostics tool loads arbitrary DiagnosticAnalyzer DLLs from a solution without validation, allowing code execution when a victim opens a malicious project.
Vulnerability
The get_diagnostics MCP tool in Roslyn CodeLens MCP Server versions 0.0.9 to 1.17.0 loads and executes all DiagnosticAnalyzer assemblies referenced by the target solution without any allowlist, signature check, or user confirmation. The includeAnalyzers parameter defaults to true, so no explicit opt-in is required. The affected code iterates over AnalyzerReferences in AnalyzerRunner.cs and invokes GetAnalyzerDiagnosticsAsync, which causes the .NET runtime to load and execute each assembly's DiagnosticAnalyzer.Initialize() [1].
Exploitation
An attacker who can place a malicious .csproj referencing an attacker-controlled DLL in a location that a victim opens with the MCP server can achieve arbitrary code execution. No authentication or special privileges are needed beyond the ability to write files to a location the victim will open. When the victim opens the solution and the get_diagnostics tool is invoked (or runs automatically), the server loads and executes the malicious analyzer DLL in the server process [1].
Impact
Successful exploitation results in arbitrary code execution in the server process with the OS privileges of the MCP server. This can lead to full compromise of confidentiality, integrity, and availability of the system [1].
Mitigation
The vulnerability is fixed in version 1.17.0 [1]. Users should upgrade to the latest version. As a workaround, ensure that includeAnalyzers is set to false when calling get_diagnostics, or only open solutions from trusted sources. No other mitigations are disclosed in the available references.
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2>=0.0.9,<1.17.0+ 1 more
- (no CPE)range: >=0.0.9,<1.17.0
- (no CPE)range: >=0.0.9, <1.17.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `get_diagnostics` MCP tool loads and executes all `DiagnosticAnalyzer` assemblies referenced by the target solution without any allowlist, signature check, or user confirmation, and `includeAnalyzers` defaults to `true`."
Attack vector
An attacker places a malicious `.csproj` that includes an `<Analyzer Include="..." />` item pointing to an attacker-controlled DLL in a location the victim opens with the MCP server. When the victim (or an AI assistant invoking the MCP server) calls the `get_diagnostics` tool with default parameters (`includeAnalyzers=true`), the server loads and executes all referenced `DiagnosticAnalyzer` assemblies without any allowlist, signature check, or user confirmation [ref_id=1]. The attacker's `DiagnosticAnalyzer.Initialize()` method then runs arbitrary native code in the MCP server process with the server's OS privileges, enabling full host compromise. No authentication to the MCP protocol layer is required; the `get_diagnostics` call is the only prerequisite [ref_id=1].
Affected code
The vulnerability resides in `src/RoslynCodeLens/AnalyzerRunner.cs` lines 40-42, which iterate all `AnalyzerReferences` from the project and load each DLL unconditionally, and line 27, which executes loaded analyzers via `GetAnalyzerDiagnosticsAsync`. Additionally, `src/RoslynCodeLens/Tools/GetDiagnosticsTool.cs` line 16 sets `includeAnalyzers` to `true` by default, meaning no user opt-in is required to trigger the dangerous code path.
What the fix does
The advisory recommends three remediation steps: default `includeAnalyzers` to `false` so that analyzer execution requires explicit opt-in from the MCP client; implement an analyzer allowlist in `AnalyzerRunner.GetAnalyzers` to compare each assembly path against trusted paths or strong-name public keys before loading; and run analyzers in a sandboxed subprocess with OS-level isolation to prevent analyzer code from accessing the MCP server's stdio channel or filesystem credentials [ref_id=1]. The advisory also suggests displaying a one-time confirmation prompt to the MCP client when new analyzer DLL paths are encountered.
Preconditions
- inputThe victim must open a solution file (`.sln`/`.csproj`) that references an attacker-controlled `DiagnosticAnalyzer` DLL via an `` item.
- configThe MCP server must be invoked with the `get_diagnostics` tool using default parameters (i.e., `includeAnalyzers` not explicitly set to `false`).
- networkThe attacker must be able to place the malicious `.csproj` and DLL in a location the victim opens with the MCP server (e.g., via a cloned repository or shared directory).
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.