Skip to content

Unconfirmed Remote Host Connection via Workspace File

High
alexdima published GHSA-5j3g-c7qg-xfvx Jun 9, 2026

Package

vscode

Affected versions

<1.123.1

Patched versions

1.123.1

Description

VS Code - Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists in VS Code 1.123.0 and earlier versions where a user who is tricked into opening a crafted .code-workspace file containing a direct host:port remote authority could have their extension host backend silently connected to an attacker-controlled server without confirmation.

Patches

The fix is available starting with VS Code 1.123.1. The fix (9505d0f) mitigates this by prompting the user for confirmation before connecting to any non-loopback remote host:port authority.

Workarounds

Avoid opening .code-workspace files from untrusted sources.

References

Severity

High

CVE ID

CVE-2026-47281

Weaknesses

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. Learn more on MITRE.

Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key. Learn more on MITRE.

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action. Learn more on MITRE.

Credits