CVE-2026-21518: Microsoft Visual Studio Code mcp.json Command Injection Enables RCE via Malicious Projects
A command injection vulnerability in Microsoft Visual Studio Code's handling of mcp.json files allows remote code execution when a user opens a malicious project, with a CVSS score of 7.8.
Microsoft has patched a command injection vulnerability in Visual Studio Code that could allow attackers to execute arbitrary code on a victim's machine simply by tricking them into opening a malicious project. Tracked as CVE-2026-21518 and disclosed by the Zero Day Initiative as ZDI-26-253, the flaw carries a CVSS score of 7.8 and affects the popular code editor's handling of mcp.json configuration files.
The vulnerability stems from improper validation of user-supplied strings before they are used to execute system calls. Specifically, when Visual Studio Code processes an mcp.json file from a project, it fails to sanitize certain inputs, allowing an attacker to inject arbitrary commands. The attack requires user interaction — the target must open a malicious project — but once triggered, the injected code runs in the context of the current user, giving the attacker full control over the victim's development environment.
Microsoft has released a security update to address CVE-2026-21518, with details available on the Microsoft Security Response Center page. The vulnerability was reported to Microsoft on March 5, 2026, by researchers Amol Dosanjh, Dre Cura, and Nicholas Zubrisky of TrendAI Research, and the coordinated public advisory was released on April 2, 2026.
The impact of this vulnerability is significant given Visual Studio Code's massive user base. As one of the most widely used code editors globally, with millions of developers relying on it for daily work, a successful exploit could lead to data theft, credential harvesting, or lateral movement within an organization's network. The fact that the attack vector involves opening a project file makes it particularly dangerous for developers who frequently clone repositories or download code from untrusted sources.
This disclosure follows a broader trend of vulnerabilities in developer tools and AI-assisted coding environments. Earlier this year, researchers highlighted how the rise of autonomous agents and AI coding tools creates a 'perfect storm' for security teams, as rapid development cycles often outpace security validation. The mcp.json command injection serves as a concrete example of how configuration files in development tools can become attack surfaces.
Users are strongly advised to apply the latest Visual Studio Code update immediately. As a general best practice, developers should exercise caution when opening projects from unknown or untrusted sources, and organizations should consider implementing policies that restrict the execution of unverified code in development environments. The ZDI advisory notes that Microsoft has issued an update to correct the vulnerability, and no workarounds have been published.