CVE-2026-41613: Microsoft Patches VS Code Flaw That Hid Malicious MCP Server Configuration
Microsoft patched a high-severity vulnerability in Visual Studio Code that let attackers embed hidden malicious settings inside MCP server install links, granting persistent code execution on developer machines.
Microsoft has patched a high-severity vulnerability in Visual Studio Code, tracked as CVE-2026-41613, that allowed attackers to gain full control of a developer's machine by hiding malicious configuration fields inside one-click installer links for Model Context Protocol (MCP) servers. The flaw, discovered by Oasis Security, exploits a mismatch between the fields shown in the install preview dialog and the fields that are actually processed, enabling attackers to inject arbitrary code via hidden environment variables and HTTP headers.
The vulnerability resides in VS Code's one-click installer for MCP servers — plug-ins that connect AI coding assistants to external services such as GitHub, databases, and file systems. When a developer clicks an MCP install link, the editor displays a confirmation dialog showing five fields: server name, type, commands, and arguments. However, Oasis Security researchers found that the underlying structure supported 10 fields, leaving five additional fields — including environment variables, environment file paths, and HTTP headers — invisible to the user. The attacker's payload never appeared anywhere in the UI.
The execution mechanism hinges on Node.js, the runtime used by the vast majority of MCP servers. The `NODE_OPTIONS` environment variable is typically blocked for most execution paths, but Oasis found that the `--import` flag was not. Combined with the fact that `--import` accepts data: URLs containing inline JavaScript, an attacker can set `NODE_OPTIONS` via the hidden fields to preload arbitrary JavaScript before the MCP server's main code runs. That JavaScript can then execute any shell command — dropping a persistent backdoor, exfiltrating credentials, or opening a reverse shell. The compromised configuration is stored in the workspace's settings file and re-executes on every server start, surviving reboots and editor restarts.
The attack chain requires nothing more than a developer clicking a crafted link and pressing install on what appears to be a normal confirmation dialog. Beyond code execution, Oasis detailed a second attack path involving HTTP-type MCP servers: the headers field, used to attach authentication credentials to outgoing requests, was also missing from the install preview. An attacker could embed their own login credentials in the link, causing the AI assistant to operate under the attacker's session — granting access to every file read, message sent, or data query performed by the developer's assistant.
Elad Luz, head of research at Oasis, characterized both findings as a UI trust-boundary failure. "When an application accepts URI input that will be used to execute programs, or whose parameters carry authentication material, the consent surface needs to be fully transparent about what's in the payload," he told ISMG. Microsoft's fix renders environment variables, environment file paths, and headers in the install preview, closing the visibility gap. Oasis reported both findings through Microsoft's security researcher portal before publication.
The disclosure arrives amid growing scrutiny of MCP security. In April 2026, Ox Security disclosed a systemic command injection flaw across Anthropic's official MCP SDKs in multiple languages, affecting over 7,000 publicly accessible servers and more than 150 million downloads. Anthropic declined to modify the protocol's architecture, leaving individual vendors to patch their own implementations. The Cloud Security Alliance's AI Safety Initiative recently described MCP as having "emerged as one of the most rapidly weaponized attack surfaces in agentic AI deployments."
Luz advised organizations to route MCP deployment through gateways with proper access management — vetted servers, managed credentials, and policy applied at the point an agent invokes a tool. "That removes the configuration-injection attack surface from the equation rather than trying to detect it after the fact," he said. The finding underscores a broader pattern: as AI-powered coding assistants proliferate, the trust boundaries in their tooling pipelines are still dangerously under-engineered.