Windsurf Zero-Click Prompt Injection RCE (CVE-2026-30615) in AI IDE Supply Chain—MCP SDK Design Flaw Affects 150M+ Downloads
Date: 2026-05-13
Tags: mcp-security, supply-chain, prompt-injection
Executive Summary
A prompt injection vulnerability in Windsurf 1.9544.26 allows remote attackers to execute arbitrary commands on a victim system. When Windsurf processes attacker-controlled HTML content, malicious instructions can cause unauthorized modification of the local MCP configuration and automatic registration of a malicious MCP STDIO server, resulting in execution of arbitrary commands without further user interaction. Windsurf (CVE-2026-30615) was the only IDE where exploitation required zero user interaction. This represents a systemic architectural flaw in Anthropic's MCP that propagates across 150M+ downloads.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | MCP STDIO Architectural Vulnerability Supply Chain |
| Attribution | Unknown; inherent design flaw in Anthropic MCP SDK (confidence: none) |
| Target | All developers using Windsurf, Cursor, Claude Code, GitHub Copilot CLI, VS Code; indirect impact to 150M+ downstream model consumers |
| Vector | Prompt injection → MCP JSON configuration modification → arbitrary STDIO server execution |
| Status | active |
| First Observed | 2026-04-16 (OX Security disclosure) |
Detailed Findings
Unauthenticated command injection through MCP marketplaces via network requests, triggering hidden STDIO configurations. Anthropic's Model Context Protocol gives a direct configuration-to-command execution via their STDIO interface on all of their implementations, regardless of programming language. As this code was meant to be used in order to start a local STDIO server and give a handle of the STDIO back to the LLM, but in practice it actually lets anyone run any arbitrary OS command, if the command successfully creates an STDIO server it will return the handle, but when given a different command, it returns an error after the command is executed. What made this a supply chain event rather than a single CVE is that one architectural decision, made once, propagated silently into every language, every downstream library, and every project that trusted the protocol to be what it appeared to be. The vulnerability ripples through a supply chain with 150M+ downloads, 7,000+ publicly accessible servers — and up to 200,000 vulnerable instances in total. Four distinct families of exploitation proved the flaw can be triggered via: Unauthenticated UI Injection in popular AI frameworks; Hardening Bypasses in "protected" environments like Flowise; Zero-Click Prompt Injection in leading AI IDEs (Windsurf, Cursor); Malicious Marketplace Distribution (9 out of 11 MCP registries were successfully "poisoned" with a malicious trial balloon).
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| Prompt Injection | T1234 | Malicious instructions embedded in HTML cause MCP configuration override |
| Execution via API | T1059.008 | Arbitrary OS commands executed through STDIO MCP subprocess spawning |
| Supply Chain Compromise | T1195.001 | Architectural flaw propagated through official Anthropic SDKs across all supported languages |
IOCs
Domains
_No CVE issued for broader MCP flaw; Windsurf assigned CVE-2026-30615 CVSS 8.8_
Full URL Paths
_No CVE issued for broader MCP flaw; Windsurf assigned CVE-2026-30615 CVSS 8.8_
Splunk Format
_No IOCs available for Splunk query_
Package Indicators
Anthropic MCP SDK (all versions with STDIO transport)
Windsurf 1.9544.26 and prior
Cursor, VS Code, GitHub Copilot CLI (all versions using MCP)
LangFlow (all versions using MCP)
Flowise (all versions using MCP)
9 out of 11 public MCP registries successfully poisoned in PoCDetection Recommendations
Immediate: (1) Upgrade to patched versions of Windsurf (if patch available); for other IDEs, disable MCP STDIO functionality pending vendor patch; (2) Monitor IDE logs and process creation events for STDIO subprocess spawning with unexpected commands; (3) Audit local .mcp.json and .claude/settings.json files for suspicious MCP server registrations. Ongoing: (1) Implement OS-level execution restrictions on IDE and agent processes (AppArmor / SELinux); (2) Use MCP marketplaces only after code signing verification; (3) Deploy network segmentation to restrict IDE process egress; (4) Mandate 'manifest-only execution' or command allowlists at the MCP SDK level (Anthropic's proposed fix); (5) Red-team your MCP integrations with prompt injection payloads; (6) Monitor for new MCP registries published post-disclosure that may be malicious mirrors.
References
- [OX Security] MCP Supply Chain Advisory: RCE Vulnerabilities Across the AI Ecosystem (2026-04-16) — https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/
- [The Hacker News] Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain (2026-04-16) — https://thehackernews.com/2026/04/anthropic-mcp-design-vulnerability.html
- [The Register] MCP 'Design Flaw' Puts 200k Servers at Risk: Researcher (2026-04-16) — https://www.theregister.com/2026/04/16/anthropic_mcp_design_flaw/
- [Microsoft Security Blog] When Prompts Become Shells: RCE Vulnerabilities in AI Agent Frameworks (2026-05-07) — https://www.microsoft.com/en-us/security/blog/2026/05/07/prompts-become-shells-rce-vulnerabilities-ai-agent-frameworks/