CVE-2026-47292: Visual Studio Code MSSQL Extension Remote Code Execution Vulnerability
Inclusion of functionality from untrusted control sphere in Visual Studio Code allows an unauthorized attacker to elevate privileges locally.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- 1.123.2
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a privilege escalation vulnerability in the Visual Studio Code MSSQL Extension, caused by inclusion of functionality from an untrusted control sphere. The attack is local, requires no prior authentication, but does require the victim to take some action, such as opening a malicious file or project. Successful exploitation gives an attacker full read, write, and crash-level access to the affected system, effectively enabling local privilege escalation to a higher-privileged context. A patched-image rebuild at version 1.123.2 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle the VS Code MSSQL Extension. Images carrying any version from 1.0.0 up to 1.123.2 are flagged automatically.
AvailableHarborGuard scores this finding at CVSS 7.8 HIGH and weights it against each customer environment's compliance policy before routing the alert to the appropriate team inbox. Per-environment policy configuration controls urgency thresholds, suppression rules, and escalation paths, so the right people are notified without noise reaching unrelated teams.
AvailableA patched-image rebuild at version 1.123.2 becomes available through HarborGuard once an affected image is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads for review and merge.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network-facing exposure is required to trigger this vulnerability.
- AuthenticationNot required
No account credentials or session token are needed; an unauthenticated local attacker can initiate the exploit.
- Victim interactionRequired
The victim must perform an action, such as opening a malicious file or workspace, giving the attacker a social-engineering window to exploit.
- Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, memory-layout dependencies, or other environmental factors need to align for it to succeed.
Blast Radius
- Reads sensitive files, credentials, and secrets accessible to the elevated process on the host.
- Modifies or overwrites files and configuration owned by higher-privileged accounts.
- Crashes or disrupts the affected service or dependent processes running under the elevated context.
- Gains a foothold for further lateral movement within the host or container environment.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of the CVE publication date, flagging any image that bundles the VS Code MSSQL Extension at a version below 1.123.2. A patched-image rebuild targeting version 1.123.2 is available immediately upon detection. For customers who have auto-remediation enabled, HarborGuard rebuilds the image, executes a regression test run, and opens a PR against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding is routed to the designated team inbox with full CVSS context and a direct reference to the upstream Microsoft advisory so engineers can act manually.
Fix available
- Microsoft / Visual Studio Code - MSSQL Extension< 1.123.2 (from 1.0.0)
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C