Description
Initialization of a resource with an insecure default in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to disclose information over a network.
Published: 2026-06-09
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Initialization of a resource with an insecure default in GitHub Copilot and Visual Studio Code can enable an attacker to read and transmit sensitive information over a network. The flaw involves improper setup of default permissions or paths, allowing read access beyond the intended scope; the presence of CWE‑22 suggests path traversal or directory restriction weaknesses.

Affected Systems

The affected component is the Microsoft Visual Studio Code CoPilot Chat Extension. No specific version information is disclosed; any installation that has not applied the fix is potentially vulnerable.

Risk and Exploitability

The CVSS score of 8.4 signals a high‑impact vulnerability. The EPSS score is below 1%, implying a low but non‑zero exploitation probability. The description does not confirm whether the attack requires local access or can be executed remotely; exploitation most likely involves manipulating file paths or configuration inputs processed by the extension, after which the attacker could exfiltrate data over the network. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on June 19, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain the latest patch or updated extension version from Microsoft and install it.
  • If an update is not available, uninstall or disable the CoPilot Chat Extension until a fix is released.
  • Limit file system permissions to the directories used by the extension to ensure only trusted users can modify or read files outside the allowed scope.

Generated by OpenCVE AI on June 19, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description Improper limitation of a pathname to a restricted directory ('path traversal') in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to bypass a security feature locally. Initialization of a resource with an insecure default in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to disclose information over a network.

Wed, 10 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Title Microsoft Visual Studio Code CoPilot Chat Extension Security Feature Bypass Vulnerability Microsoft Visual Studio Code CoPilot Chat Security Feature Bypass Vulnerability

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper limitation of a pathname to a restricted directory ('path traversal') in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.
Title Microsoft Visual Studio Code CoPilot Chat Extension Security Feature Bypass Vulnerability
First Time appeared Microsoft
Microsoft visual Studio Code Copilot Chat Extension
Weaknesses CWE-22
CPEs cpe:2.3:a:microsoft:visual_studio_code_copilot_chat_extension:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft visual Studio Code Copilot Chat Extension
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Visual Studio Code Copilot Chat Extension
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-26T19:41:33.828Z

Reserved: 2026-05-12T16:07:22.617Z

Link: CVE-2026-45482

cve-icon Vulnrichment

Updated: 2026-06-10T10:19:50.160Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:22.587

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-45482

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T23:30:05Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')