How is CVE-2026-45555 exploited?

Network reachability (not-required): AV:L means the attacker does not need network access; the malicious project must be opened locally by the victim's MCP server process. Authentication (not-required): PR:N means no prior account or credentials on the target system are required to stage the malicious .csproj and DLL. Victim interaction (required): UI:R means the victim must open or load the attacker-supplied solution in an editor or tool wired to the MCP server. Attack complexity (info): AC:L means exploitation is reliable: dropping a .csproj that references the malicious analyzer DLL is sufficient, with no race or environmental tuning.

What is the impact of CVE-2026-45555?

Executes arbitrary attacker code inside the MCP server process with that process's OS privileges, typically the developer's user account. Reads any files, source code, secrets, and tokens accessible to the server user, including SSH keys, cloud credentials, and signing material on the workstation. Modifies or plants files on disk, including build outputs and source files, enabling supply-chain tampering of downstream artifacts. Can disrupt or hang the MCP server and any tooling that depends on it.

Back to search

HIGHCVE-2026-45555Published 2026-05-29Modified 2026-05-29CNA GitHub_M

CVE-2026-45555: Roslyn CodeLens MCP Server: Untrusted Roslyn Analyzer Execution via get_diagnostics Leads to Arbitrary Code Execution

Roslyn CodeLens MCP Server is a Roslyn-based MCP server providing semantic code intelligence for .NET codebases. From 0.0.9 to 1.17.0, the get_diagnostics MCP tool loads and executes all DiagnosticAnalyzer assemblies referenced by the target solution without any allowlist, signature check, or user confirmation; includeAnalyzers defaults to true, so no explicit opt-in is required. An attacker who can place a malicious .csproj referencing an attacker-controlled DLL in a location the victim opens with the MCP server will achieve arbitrary code execution in the server process with the server's OS privileges. This vulnerability is fixed in 1.17.0.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An arbitrary code execution flaw exists in the Roslyn CodeLens MCP Server, a .NET semantic code intelligence service. The get_diagnostics tool loads and runs DiagnosticAnalyzer assemblies referenced by the opened solution with no allowlist, signature check, or user prompt, and the includeAnalyzers flag defaults to true. An attacker who convinces a victim to open a malicious project that references an attacker-controlled DLL gains code execution in the MCP server process at the server's OS privileges. A patched-image rebuild at version 1.17.0 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI pipelines, including custom-built images that bundle the roslyn-codelens-mcp package.

Available

Triage

Triage is available with the published CVSS 3.1 score of 7.8 (High), then reweighted by each customer's compliance policy (developer tooling exposure, workstation reach, and similar factors) before routing to the appropriate inbox inside the customer org.

Available

Patch

A patched-image rebuild at 1.17.0 is available on HarborGuard for environments running an affected version. Customers who opt into auto-remediation get the rebuilt image, a regression-test run, and a PR opened against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityNot required
AV:L means the attacker does not need network access; the malicious project must be opened locally by the victim's MCP server process.
AuthenticationNot required
PR:N means no prior account or credentials on the target system are required to stage the malicious .csproj and DLL.
Victim interactionRequired
UI:R means the victim must open or load the attacker-supplied solution in an editor or tool wired to the MCP server.
Attack complexityDetail
AC:L means exploitation is reliable: dropping a .csproj that references the malicious analyzer DLL is sufficient, with no race or environmental tuning.

Blast Radius

Executes arbitrary attacker code inside the MCP server process with that process's OS privileges, typically the developer's user account.
Reads any files, source code, secrets, and tokens accessible to the server user, including SSH keys, cloud credentials, and signing material on the workstation.
Modifies or plants files on disk, including build outputs and source files, enabling supply-chain tampering of downstream artifacts.
Can disrupt or hang the MCP server and any tooling that depends on it.

How HarborGuard Handles This

Available on HarborGuard: images containing roslyn-codelens-mcp at versions 0.0.9 through 1.16.x are flagged on ingest, and a rebuild at the fixed 1.17.0 release is offered to affected environments. For customers with auto-remediation enabled, the rebuilt image is produced, run through regression tests, and a PR is opened against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments. Where auto-remediation is not permitted by compliance policy, the finding is routed for manual review with the 1.17.0 upgrade pinned as the recommended action, and compensating guidance (avoid opening untrusted .NET solutions with the MCP server, isolate the server to a sandboxed user, restrict analyzer DLL load paths) is surfaced alongside the advisory.

See how HarborGuard automates this

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

MarcelRoozekrans / roslyn-codelens-mcp
>= 0.0.9, < 1.17.0

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

https://github.com/MarcelRoozekrans/roslyn-codelens-mcp/security/advisories/GHSA-552p-8f74-6x7q