HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-48989Published Modified CNA GitHub_M

CVE-2026-48989: Windows-MCP: HTTP transports expose unauthenticated PowerShell control with wildcard CORS

Windows-MCP is an open-source project that integrates AI agents with Windows. In versions prior to 0.7.5, certain HTTP modes exposed the MCP control plane without authentication while enabling wildcard CORS (allow_origins=*, allow_methods=*, allow_headers=*). Because the same server also exposed a PowerShell tool that executes caller-controlled commands as the Windows user running Windows-MCP, attackers could reach the control plane from arbitrary origins or non-browser clients and achieve arbitrary PowerShell execution. This issue was fixed in version 0.7.5.

Metrics

CVSS v4.0
8.9
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability in Windows-MCP (the open-source AI-agent-to-Windows bridge) exposes an unauthenticated HTTP control plane to any network-reachable client. The server runs with wildcard CORS (allow_origins=*, allow_methods=*, allow_headers=*) and no credential requirement, so any origin or non-browser HTTP client can reach it directly. Successful exploitation gives the attacker full arbitrary PowerShell execution as the Windows user running Windows-MCP, enabling complete read, write, and denial-of-service capability on that host. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment upstream ships a fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-48989 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Windows-MCP, at each scan cycle.

Available
Triage

HarborGuard scores this CVE at 8.9 HIGH (CVSS v4.0) and surfaces it with that severity weighting inside each customer organization's compliance policy engine, routing findings to the appropriate team inbox based on per-environment policy configuration.

Available
Patch

Because no fix version exists upstream, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fixed release is published. In the interim, the finding remains open and visible in each customer's vulnerability dashboard so teams can apply compensating controls manually.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Windows-MCP HTTP server over the network; the service is exposed on a standard HTTP port and is reachable from any origin due to wildcard CORS configuration.

  • AuthenticationNot required

    No credentials of any kind are required; the control plane is fully unauthenticated in affected versions.

  • Victim interactionNot required

    The attacker contacts the server directly with no need for a victim to click a link or take any action.

  • Attack complexityDetail

    Exploitation is straightforward and condition-free; no race conditions, memory-layout dependencies, or environmental factors need to be met.

Blast Radius

  • The attacker executes arbitrary PowerShell commands as the Windows user running Windows-MCP, giving full read access to files, environment variables, and credentials stored on the host.
  • The attacker can write, modify, or delete files and registry entries within the permissions of the running user account.
  • The attacker can terminate processes, reconfigure services, or otherwise crash or disable the host environment, causing a denial of service.
  • Because PowerShell can reach out to the network, the attacker can use the compromised host as a pivot point for lateral movement within the same environment.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-48989 is active across all customer environments and will flag any image bundling an affected version of Windows-MCP (versions prior to 0.7.5). Because no upstream fix exists at this time, HarborGuard does not yet have a patched-image rebuild to offer; instead, the advisory is re-checked on every ingest cycle so that a rebuild becomes available automatically once CursorTouch publishes version 0.7.5 or later. While the fix is pending, teams are advised to apply network-policy controls that restrict inbound access to the Windows-MCP HTTP port to trusted sources only, disable or block the PowerShell tool endpoint at the reverse-proxy or firewall layer where possible, and consider disabling HTTP transport modes in favor of a locally-scoped socket or pipe if the deployment model allows it. For customers with auto-remediation enabled, a patched rebuild and regression run will be triggered and a PR opened against affected workloads within minutes of the upstream release becoming available.

See how HarborGuard automates this
Affected packages
  • CursorTouch / Windows-MCP
    < 0.7.5
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
References