Description
Windows-MCP is an open-source project that integrates AI agents with Windows. In versions prior to 0.7.5, certain HTTP modes exposed the MCP control plane without authentication while enabling wildcard CORS (allow_origins=*, allow_methods=*, allow_headers=*). Because the same server also exposed a PowerShell tool that executes caller-controlled commands as the Windows user running Windows-MCP, attackers could reach the control plane from arbitrary origins or non-browser clients and achieve arbitrary PowerShell execution. This issue was fixed in version 0.7.5.
Published: 2026-06-17
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Windows-MCP is an open‑source project that integrates AI agents with Windows. Versions prior to 0.7.5 exposed its HTTP control plane without authentication and enabled wildcard CORS. Because the same server also offered a PowerShell tool that runs caller‑controlled commands as the Windows user that runs Windows‑MCP, an attacker could send requests from any origin or non‑browser client to the control plane and obtain the ability to execute arbitrary PowerShell commands. This results in remote code execution with the privileges of the Windows‑MCP user, compromising confidentiality, integrity, and availability. The weakness is an authentication bypass, identified as CWE‑306.

Affected Systems

The affected product is CursorTouch’s Windows‑MCP. All installations running a version earlier than 0.7.5 are vulnerable. No other vendors or products are listed.

Risk and Exploitability

The CVSS base score of 8.9 classifies the vulnerability as high severity. The EPSS score is less than 1%, indicating a low likelihood of exploitation in the near term, and it is not currently in the CISA KEV catalog. The exploit path requires only network connectivity to the Windows‑MCP host; authentication is unnecessary because the HTTP endpoints are unauthenticated, and wildcard CORS permits requests from any origin. Once an attacker sends a crafted request, the exposed PowerShell interface runs the supplied command as the Windows‑MCP user. Because the attacker does not need to act on behalf of a local user, the attack complexity is low, and the vulnerability can be leveraged remotely with minimal effort.

Generated by OpenCVE AI on June 18, 2026 at 19:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Windows‑MCP to version 0.7.5 or later, which implements authentication and disables wildcard CORS.
  • If an upgrade cannot be performed immediately, isolate the Windows‑MCP server behind a firewall or VPN so that only trusted hosts can reach the control plane.
  • Distribute the PowerShell command execution endpoint to only authenticated users or remove it if it is not required.

Generated by OpenCVE AI on June 18, 2026 at 19:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vrxg-gm77-7q5g Windows-MCP: HTTP transports expose unauthenticated PowerShell control with wildcard CORS
History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Windows-MCP is an open-source project that integrates AI agents with Windows. In versions prior to 0.7.5, certain HTTP modes exposed the MCP control plane without authentication while enabling wildcard CORS (allow_origins=*, allow_methods=*, allow_headers=*). Because the same server also exposed a PowerShell tool that executes caller-controlled commands as the Windows user running Windows-MCP, attackers could reach the control plane from arbitrary origins or non-browser clients and achieve arbitrary PowerShell execution. This issue was fixed in version 0.7.5.
Title Windows-MCP: HTTP transports expose unauthenticated PowerShell control with wildcard CORS
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T15:44:08.967Z

Reserved: 2026-05-26T23:26:07.975Z

Link: CVE-2026-48989

cve-icon Vulnrichment

Updated: 2026-06-18T15:44:04.160Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T19:30:15Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function