How is CVE-2026-48569 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network-facing exposure is required to reach the vulnerable component. Authentication (not-required): No account or credentials are required before exploitation; the attacker can proceed without prior authentication. Victim interaction (required): A victim must take an action, such as opening a malicious file or project, for the exploit to execute. Attack complexity (info): The exploit is reliable and condition-free; no race conditions or specific memory layout requirements must be met.

What is the impact of CVE-2026-48569?

A successful attacker reads sensitive data from outside the security scope that Visual Studio Code is intended to enforce, including files or tokens the process should not be able to access. The attacker can make limited modifications to data within the broader scope, though write access is constrained. Service availability is not affected; the running editor or host process remains operational after exploitation. Because the vulnerability has a Changed scope (S:C), impact can extend beyond the immediate VS Code process to other components or data on the same host.

Back to search

HIGHCVE-2026-48569Published 2026-06-09Modified 2026-06-10CNA microsoft

CVE-2026-48569: Visual Studio Code Security Feature Bypass Vulnerability

Improper input validation in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: 1.123.2
Affected Products: 1

HarborGuard Analysis

Synopsis

A security feature bypass vulnerability exists in Visual Studio Code due to improper input validation. The attack is local, requires no prior authentication, but does need the victim to open a malicious file or take a similar action; a CVSS v3.1 score of 7.1 (High) reflects the scoped, cross-boundary impact. Successful exploitation allows an attacker to read sensitive data from outside the expected security boundary and make limited modifications, though it does not disrupt availability. A patched-image rebuild at version 1.123.2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle Visual Studio Code. Any image running a version of Visual Studio Code prior to 1.123.2 is flagged automatically.

Available

Triage

HarborGuard is capable of scoring this CVE at 7.1 High using the CVSS v3.1 vector, with per-environment compliance policy weighting applied to prioritize or escalate the finding as each customer's policy dictates. Triage routing is available to direct the finding to the appropriate team inbox within each customer organization.

Available

Patch

A patched-image rebuild at Visual Studio Code 1.123.2 becomes available on HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, the pipeline is capable of performing the rebuild, running a regression test suite, and opening a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network-facing exposure is required to reach the vulnerable component.
AuthenticationNot required
No account or credentials are required before exploitation; the attacker can proceed without prior authentication.
Victim interactionRequired
A victim must take an action, such as opening a malicious file or project, for the exploit to execute.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or specific memory layout requirements must be met.

Blast Radius

A successful attacker reads sensitive data from outside the security scope that Visual Studio Code is intended to enforce, including files or tokens the process should not be able to access.
The attacker can make limited modifications to data within the broader scope, though write access is constrained.
Service availability is not affected; the running editor or host process remains operational after exploitation.
Because the vulnerability has a Changed scope (S:C), impact can extend beyond the immediate VS Code process to other components or data on the same host.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-48569 is active across all connected registries and build pipelines, matching any image that includes Visual Studio Code prior to version 1.123.2. A patched-image rebuild targeting version 1.123.2 is available for affected environments. For customers who opt into auto-remediation, HarborGuard is capable of rebuilding the image, executing a regression run, and opening a pull request against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with full CVSS context and policy weighting attached. Because this is a local, interaction-required vulnerability, compensating controls such as restricting untrusted file opens, enforcing workspace trust settings in VS Code, and limiting shell access to developer workstations can reduce exposure while a rebuild is being reviewed.

See how HarborGuard automates this

Fix available

1.123.2

Patch commits

Visual Studio Code Security Feature Bypass Vulnerability

Affected packages

Microsoft / Visual Studio Code
< 1.123.2 (from 1.0.0)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N/E:U/RL:O/RC:C

References

Visual Studio Code Security Feature Bypass Vulnerability

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available