HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-47281Published Modified CNA microsoft

CVE-2026-47281: Visual Studio Code Elevation of Privilege Vulnerability

Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
1.123.2
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An improper input validation vulnerability in Visual Studio Code allows an unauthenticated remote attacker to elevate privileges by reaching the affected application over a network connection. A victim must take some action, such as opening a malicious file or workspace, for exploitation to succeed. Successful exploitation gives the attacker high-level access to confidentiality, integrity, and availability across the affected scope, enabling data theft, file modification, and service disruption. A patched-image rebuild at version 1.123.2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment - the CVE is matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle Visual Studio Code or its components. Any image in a customer registry or CI pipeline running Visual Studio Code below version 1.123.2 is flagged automatically.

Available
Triage

HarborGuard surfaces this CVE with its CVSS v3.1 score of 9.6 (Critical) and applies per-environment compliance policy weighting to prioritize alerting and route findings to the appropriate team inbox within each customer organization. Policy-driven severity overrides are available for environments with stricter or looser tolerance thresholds.

Available
Patch

A patched-image rebuild at Visual Studio Code 1.123.2 becomes available through HarborGuard the moment the fix version is resolvable in the dependency graph. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads without requiring manual intervention.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Visual Studio Code instance over the network; local-only deployments with no external exposure reduce but do not eliminate risk from lateral movement.

  • AuthenticationNot required

    No credentials or existing account are needed - the attacker can initiate the exploit as an anonymous, unauthenticated party.

  • Victim interactionRequired

    A user must perform an action, such as opening a crafted file, workspace, or following a malicious link, for the exploit to trigger.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other hard-to-control environmental factors.

Blast Radius

  • Attacker reads sensitive files and data accessible within the affected scope, including credentials, tokens, and configuration files.
  • Attacker writes or modifies files and settings on the compromised system, enabling persistence or further lateral movement.
  • Attacker disrupts or terminates the affected service, causing availability loss for any workload depending on the Visual Studio Code instance.
  • Because the scope is changed (S:C), impact can extend beyond the immediate VS Code process to other components or containers sharing the same host or trust boundary.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-47281 is active across all connected registries and pipelines, matching images that include Visual Studio Code versions from 1.0.0 up to but not including 1.123.2. For customers who opt into auto-remediation, HarborGuard can rebuild the affected image at version 1.123.2, execute a regression test run against the new image, and open a pull request against affected workloads; for high-severity and critical issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy permits automated changes, no manual triage step is required before the fix is proposed. Customers who do not use auto-remediation will see the finding surfaced in their dashboard with full CVSS detail and remediation guidance pointing to the 1.123.2 upgrade.

See how HarborGuard automates this

Fix available

1.123.2
Patch commits
Affected packages
  • Microsoft / Visual Studio Code
    < 1.123.2 (from 1.0.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
References