Description
A maliciously crafted webpage, when visited by a user with Autodesk Fusion Desktop running and the MCP extension enabled, can trigger a vulnerability in the MCP extension that could allow arbitrary code execution. A successful exploit may allow code to execute with the privileges of the current user.
Published: 2026-06-22
Score: 9.6 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A maliciously crafted webpage can trigger a code injection flaw in the MCP extension of Autodesk Fusion Desktop. The fault, classified as CWE‑94, allows an attacker to evaluate arbitrary code with the same privileges as the currently logged‑in user when the application is running and the extension is enabled.

Affected Systems

The vulnerability affects Autodesk Fusion Desktop. Product identifiers point to version 2703.1.11, the specific build listed in the CPE entry. Users running this or older builds with the MCP extension active are at risk.

Risk and Exploitability

The CVSS score of 9.6 signals a high‑impact vulnerability. EPSS information is not available, and the flaw is not yet catalogued in the KEV list. The likely attack vector is a user visiting a malicious webpage while Fusion Desktop is open; the web content exploits the MCP extension’s code evaluation capability, leading to arbitrary code execution. No other prerequisites or environment constraints are described in the data.

Generated by OpenCVE AI on June 22, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Autodesk Fusion Desktop release once it is available, which addresses the MCP extension code injection flaw.
  • If the extended functionality is not required, temporarily disable or uninstall the MCP extension to eliminate the attack surface.
  • Maintain a monitoring routine for official Autodesk advisories and promptly apply any subsequent security releases or patches.

Generated by OpenCVE AI on June 22, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description A maliciously crafted webpage, when visited by a user with Autodesk Fusion Desktop running and the MCP extension enabled, can trigger a vulnerability in the MCP extension that could allow arbitrary code execution. A successful exploit may allow code to execute with the privileges of the current user.
Title MCP Extension Code Injection Vulnerability in Autodesk Fusion Desktop
First Time appeared Autodesk
Autodesk fusion
Weaknesses CWE-94
CPEs cpe:2.3:a:autodesk:fusion:2703.1.11:*:*:*:*:*:*:*
Vendors & Products Autodesk
Autodesk fusion
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Autodesk Fusion
cve-icon MITRE

Status: PUBLISHED

Assigner: autodesk

Published:

Updated: 2026-06-22T17:25:30.537Z

Reserved: 2026-06-03T19:23:28.312Z

Link: CVE-2026-10789

cve-icon Vulnrichment

Updated: 2026-06-22T17:25:24.990Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T18:30:15Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')