Description
Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.
Published: 2026-05-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Visual Studio Code is a session fixation flaw that allows an attacker to take advantage of existing session identifiers and gain elevated privileges without authorization. The flaw falls under CWE‑384, which involves an attacker taking control of a session established for a legitimate user. The possible exploitation could result in the attacker running code or accessing data with higher privileges than intended for the user, potentially leading to unauthorized access or control over the affected system.

Affected Systems

Microsoft Visual Studio Code is impacted. Specific affected versions are not disclosed; users should verify whether their installed edition remains vulnerable and apply updates as soon as available.

Risk and Exploitability

The CVSS score of 8.8 denotes a high severity level. EPSS is not available and the vulnerability is not listed in CISA’s KEV catalog. The description indicates that the attack requires network access to an instance of Visual Studio Code. No public exploitation data is provided, so the likelihood of active exploitation remains unclear.

Generated by OpenCVE AI on May 12, 2026 at 20:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Visual Studio Code to the latest version using the Microsoft Security Update Guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41613.
  • Disable or restrict remote extensions and network connections to Visual Studio Code until the patch is applied to reduce the attack surface.
  • Ensure that any remote or shared sessions regenerate session identifiers upon reconnection to mitigate session fixation risks.

Generated by OpenCVE AI on May 12, 2026 at 20:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.
Title Visual Studio Code Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft visual Studio Code
Weaknesses CWE-384
CWE-78
CPEs cpe:2.3:a:microsoft:visual_studio_code:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft visual Studio Code
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Visual Studio Code
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-18T18:09:59.750Z

Reserved: 2026-04-21T22:14:12.924Z

Link: CVE-2026-41613

cve-icon Vulnrichment

Updated: 2026-05-12T18:56:15.239Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T18:17:23.237

Modified: 2026-05-15T14:23:50.983

Link: CVE-2026-41613

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T21:30:24Z

Weaknesses