Lead Story | High — AI Dev Tool Security | Dev |
|
Windsurf CVE-2026-30615: Zero-Click MCP Prompt Injection RCE — the Only AI IDE Where No User Interaction Was Required
OX Security documented a zero-click RCE path in Windsurf 1.9544.26 (CVE-2026-30615, CVSS 8.0): attacker-controlled HTML silently rewrites the local MCP configuration and registers a malicious server, achieving arbitrary command execution when the MCP SDK initialises. Of five AI IDEs tested, Windsurf was the only one requiring no user interaction at any step.
OX Security’s April 2026 MCP supply chain advisory documents the attack path in detail. When Windsurf 1.9544.26 renders attacker-controlled HTML content, injected instructions silently rewrite the local mcp.json configuration file and register a malicious STDIO server. When the MCP SDK next initialises, it launches the registered binary. Arbitrary command execution follows — no approval dialog, no confirmation step, no user interaction of any kind required.
OX tested five AI IDEs — Cursor, VS Code, Windsurf, Claude Code, and Gemini-CLI — across the same attack scenario. The other four each required at least one user action (such as approving a file modification) before execution; Windsurf required none. The architectural gap is in Windsurf’s HTML rendering path, which processed the injected instructions before any validation ran. Windsurf patched past version 1.9544.26. If your development environment still runs 1.9544.26 or earlier, update now. OX Security →
→ Key Takeaway The attack surface here is attacker-controlled content rendered by the IDE — which can arrive through any channel Windsurf processes. Update past version 1.9544.26 immediately. If your organization deploys AI IDEs centrally, add MCP configuration file integrity to your endpoint monitoring baseline. |
Quick Hits
| 01 |
Palo Alto PAN-OS Zero-Day: Root RCE in User-ID Auth Portal, Actively Exploited, No Patch Until May 13
Palo Alto Networks disclosed CVE-2026-0300 (CVSS 9.3) on May 6 — an out-of-bounds write in the User-ID™ Authentication Portal — alongside confirmation of limited active exploitation against internet-exposed portals; CISA added it to the Known Exploited Vulnerabilities catalog the same day. The flaw gives an unauthenticated attacker root-level code execution on PA-Series and VM-Series firewalls with no credentials and no user interaction required; Shadowserver tracks over 5,800 exposed instances globally, 1,998 in North America. No patch is available until May 13 — restrict or disable the User-ID Authentication Portal immediately if it faces untrusted networks, and schedule the May 13 upgrade now. Palo Alto advisory →
| Critical — Network Security | Cloud+DevOps · Enterprise · IT Ops |
|
CVE Watch
|
CVE Watch
CVE-2026-4670 — MOVEit Automation: CVSS 9.8 Authentication Bypass, No Workaround Available
CVE-2026-4670 is an unauthenticated authentication bypass in MOVEit Automation: a crafted request to the backend command port is processed before any authentication logic runs, granting the attacker full administrative access — read, write, schedule manipulation, and the ability to redirect file transfers. No active exploitation has been confirmed as of May 6, 2026. Progress Software has released patches for three version branches and offers no workaround — upgrading via the full installer is the only remediation path. Cl0p ransomware’s 2023 MOVEit campaign compromised hundreds of organizations globally, including several in Canada; the history of this platform being targeted warrants treating this as an immediate patch priority. NVD →
| Vendor: Progress Software · CVE: CVE-2026-4670 · CVSS: 9.8 · Affected: MOVEit Automation before 2025.1.5 / 2025.0.9 / 2024.1.8 · Fix: Available — upgrade to 2025.1.5, 2025.0.9, or 2024.1.8 · Exploitation: Not confirmed as of May 6, 2026 |
|
Compliance Tip of the Day
|
NIST CSF 2.0 — GV.RM-06 — Govern: Risk Management Strategy — Standardized Risk Prioritization
AI Dev Tools Are a Risk Category Your Framework Probably Doesn’t Have a Row For Yet
CVE-2026-30615 demonstrates that AI development tools with MCP integration carry a distinct risk class: attacker-controlled content processing plus local file write access equals an RCE exposure that doesn’t map cleanly to “workstation software” or “web application” categories in a traditional risk register. NIST GV.RM-06 requires a standardized approach for calculating, documenting, categorizing, and prioritizing cybersecurity risks — which means your framework needs a row for AI IDEs before the next CVE makes the absence urgent. Concrete action (GV.RM-06): Add AI development tools with MCP integration to your organizational risk register; classify each by exploitation surface (content rendering path + file write access + MCP SDK initialization sequence), and document the compensating controls — or patch cadence — for each tool. nist.gov/cyberframework →
|
|
