Windsurf CVE-2026-30615: Prompt Injection to Local RCE via Untrusted MCP Configuration Manipulation
Date: 2026-06-23
Tags: prompt-injection, mcp-security
Executive Summary
A prompt injection vulnerability in Windsurf 1.9544.26 allows remote attackers to execute arbitrary commands on a victim system. When Windsurf processes attacker-controlled HTML content, malicious instructions can cause unauthorized modification of the local MCP configuration and automatic registration of a malicious MCP STDIO server, resulting in execution of arbitrary commands without further user interaction.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | Windsurf CVE-2026-30615 Exploitation |
| Attribution | Unknown (confidence: none) |
| Target | Windsurf IDE users; developers using Model Context Protocol integration |
| Vector | Attacker-controlled HTML content processed by Windsurf; prompt injection via web content |
| Status | active |
| First Observed | 2026-04-17 |
Detailed Findings
CVE 2026 30615 is a prompt injection vulnerability in Windsurf 1.9544.26 that allows remote attackers to execute arbitrary commands on a victim system. A remote attacker can access the publicly exposed MCP management interface and configure an MCP STDIO server with attacker-controlled commands and arguments. When the MCP server is started and MCP is enabled for agent execution, subsequent agent activity triggers execution of arbitrary commands on the server. CVE-2026-22708, disclosed against Cursor, lets an attacker poison the agent's execution environment so allowlisted commands like git branch deliver arbitrary payloads. The allowlist made the attack easier by auto-approving the very commands the attacker needed. This vulnerability is part of a broader class of MCP-based prompt injection attacks affecting AI coding assistants in 2026.
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| Prompt Injection | T1593.003 | Malicious instructions embedded in HTML/web content to manipulate IDE configuration |
| Execution via MCP Command Injection | T1203 | Arbitrary command execution through malicious MCP STDIO server configuration |
| Abuse of Functionality | T1204.001 | IDE's trust of attacker-controlled content to modify configuration without user awareness |
IOCs
Domains
_No specific IOCs published. Vulnerability is in IDE software itself, not supply chain packages._
Full URL Paths
_No specific IOCs published. Vulnerability is in IDE software itself, not supply chain packages._
Splunk Format
_No IOCs available for Splunk query_
Affected Platforms
Windsurf IDE version 1.9544.26 and earlier
Model Context Protocol (MCP) clientsDetection Recommendations
Monitor for unexpected MCP STDIO server registrations in Windsurf configuration files; audit HTML content sources being processed by IDE; implement content filtering for IDE input; require explicit user confirmation for MCP configuration changes; scan for suspicious command parameters in MCP server definitions; update Windsurf to patched version immediately; monitor process execution from IDE contexts.
References
- [OX Security] MCP STDIO Command Injection: Full Vulnerability Advisory (2026-04-17) — https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/
- [Help Net Security] Prompt injection still drives most agentic AI security failures in production (2026-06-11) — https://www.helpnetsecurity.com/2026/06/11/owasp-prompt-injection-ai-security-failures/
- [TechTimes] AI Agent Security Hits Its Reckoning: Prompt Injection May Be a Permanent Flaw, Not a Patchable Bug (2026-06-14) — https://www.techtimes.com/articles/318361/20260614/ai-agent-security-hits-its-reckoning-prompt-injection-may-permanent-flaw-not-patchable-bug.htm