Windsurf Zero-Click Prompt Injection to RCE (CVE-2026-30615)
Open a file, get owned. Windsurf 1.9544.26 was the only AI IDE in the OX Security disclosure chain where exploitation required zero user interaction. Attacker-controlled HTML content, when rendered by the IDE, injected instructions that silently modified the local MCP JSON configuration and registered a malicious STDIO server. The MCP SDK did the rest: it launched the server binary and handed the attacker a command execution primitive. No click, no approval prompt, no warning in the developer toolchain.
What happened
The OX Security advisory published April 15, 2026 catalogued four exploitation families rooted in the same architectural decision in Anthropic's MCP SDK. CVE-2026-30615 is the most severe case in the third family: zero-click prompt injection into AI IDEs.
The attack path is short. Windsurf renders HTML content during normal operation. An attacker who controls that content, via a crafted web page the IDE browses, a malicious README in a cloned repository, or a poisoned tool description returned by a remote server, can embed prompt injection payloads that the IDE processes as instructions.
In Windsurf 1.9544.26, those injected instructions could silently overwrite the local mcp.json configuration and register an attacker-controlled STDIO server. When the MCP SDK initialised the configuration, it launched the registered binary. Arbitrary command execution followed, with no approval dialog, no confirmation step, and no user interaction beyond the IDE loading the project.
OX noted this was the only IDE in their testing where the attack was truly zero-click. Cursor, Claude Code, and Gemini-CLI required at least one step of user involvement. Windsurf did not. The vendor patched past version 1.9544.26; Google, Microsoft, and Anthropic declined to issue CVEs for their respective tools, arguing explicit user permission is required to modify the relevant files.
The PolicyLayer angle
The exploit chain here has two links: the IDE trusts rendered content as instructions, and the MCP STDIO layer trusts whatever binary the configuration names. A policy layer that breaks either link prevents the attack regardless of IDE version.
The concrete controls: deny-by-default on new MCP server registrations in any IDE session that has consumed external content (web pages, cloned repositories, untrusted tool output), require explicit out-of-band approval before the agent can modify mcp.json or any equivalent configuration file, and maintain an allowlist of permitted STDIO server binaries resolved to pinned filesystem paths rather than arbitrary command strings. Each of these would have stopped the exploit cold even on the unpatched IDE.
The broader point: every AI IDE that renders attacker-influenced content while also having write access to MCP configuration is carrying this class of risk. The CVE is filed against Windsurf because Windsurf was the only case where no click was needed. The risk in the other IDEs is one social-engineering step away from the same outcome.
Mitigations
Update Windsurf past version 1.9544.26. Audit your mcp.json configuration and remove any entries whose origin you cannot trace to a trusted source. Disable automatic MCP server registration in IDE settings where possible. Treat any project cloned from an untrusted repository as potentially carrying a malicious MCP configuration file before opening it in any AI-assisted IDE. In production environments, restrict STDIO MCP server execution to a controlled binary allowlist rather than accepting arbitrary command strings.
FAQs
OX Security filed CVE-2026-30615 specifically for Windsurf because it was the only IDE where exploitation required zero user interaction. Cursor, Claude Code, and Gemini-CLI require some degree of user involvement to complete the attack chain. Google, Microsoft, and Anthropic argued that modifying the relevant configuration files requires explicit user permission, and declined to classify the behaviour as a vulnerability.
Patching Windsurf removes the zero-click path. The underlying risk, that MCP STDIO configuration files are code execution inputs and any attacker who can write to them gets RCE, remains. The configuration file is still created and read from project directories. Any IDE that opens a repository containing a crafted configuration is still one approval-dialog away from the same outcome.
Yes. CVE-2026-30615 is the third of four exploitation families documented in the April 15 OX advisory. The advisory also covers unauthenticated command injection via MCP UIs (affecting LangFlow, GPT Researcher), hardening bypasses in allowlist-protected deployments (affecting Upsonic and Flowise), and malicious payload distribution through MCP marketplaces. The Windsurf CVE is the most severe single finding in the chain.