{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-10789: MCP Extension Code Injection Vulnerability in Autodesk Fusion Desktop","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-10789","status":"final","version":"1","initial_release_date":"2026-06-22T17:15:25.546Z","current_release_date":"2026-06-22T17:25:30.537Z","revision_history":[{"date":"2026-06-22T17:15:25.546Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"A maliciously crafted webpage, when visited by a user with Autodesk Fusion Desktop running and the MCP extension enabled, can trigger a vulnerability in the MCP extension that could allow arbitrary code execution. A successful exploit may allow code to execute with the privileges of the current user.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-10789 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-10789"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-10789"},{"category":"external","summary":"autodesk.com","url":"https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0008"},{"category":"external","summary":"dl.appstreaming.autodesk.com","url":"https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe"},{"category":"external","summary":"dl.appstreaming.autodesk.com","url":"https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg"}]},"product_tree":{"branches":[{"category":"vendor","name":"Autodesk","branches":[{"category":"product_name","name":"Fusion","branches":[{"category":"product_version_range","name":">=2703.1.11 <2703.1.20","product":{"name":"Autodesk Fusion >=2703.1.11 <2703.1.20","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:autodesk:fusion:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-10789","title":"MCP Extension Code Injection Vulnerability in Autodesk Fusion Desktop","notes":[{"category":"description","text":"A maliciously crafted webpage, when visited by a user with Autodesk Fusion Desktop running and the MCP extension enabled, can trigger a vulnerability in the MCP extension that could allow arbitrary code execution. A successful exploit may allow code to execute with the privileges of the current user.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"]},"scores":[{"cvss_v3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":9.6,"baseSeverity":"CRITICAL"},"products":["CSAFPID-1"]}],"remediations":[{"category":"vendor_fix","details":"Update to a fixed version: 2703.1.20.","product_ids":["CSAFPID-1"],"url":"https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe"}]}]}