Description
Initialization of a resource with an insecure default in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to disclose information over a network.
Published: 2026-06-19
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the initialization of resources in GitHub Copilot and Visual Studio Code relies on an insecure default that enables an unauthorized actor to reveal sensitive data over the network. The vulnerability stems from improper handling of default configurations, which results in data leaks rather than code execution or denial of service. The primary weakness is classified as CWE-1188, indicating insecure default settings.

Affected Systems

Microsoft: GitHub Copilot Chat integrated within Visual Studio Code is affected. No specific version range is disclosed, so all deployments that have not applied the latest update should be considered vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.5, placing it in the medium severity range. EPSS information is not available, and the issue is not listed in CISA KEV. The absence of exploit data suggests no known widespread attacks, yet the attack vector appears to be any actor who can reach the affected system through network channels. Given the moderate score and lack of exploit evidence, the risk is considered moderate, but remediation is recommended to prevent potential future exploitation.

Generated by OpenCVE AI on June 19, 2026 at 22:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update GitHub Copilot Chat to the latest version that addresses the insecure default configuration.
  • If an immediate update is not possible, modify the Copilot Chat settings to remove or secure the default behavior that enables network disclosure.
  • Configure network controls to restrict external access to the Copilot Chat service and ensure that only authorized users can invoke it.

Generated by OpenCVE AI on June 19, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft github Copilot Chat
Vendors & Products Microsoft github Copilot Chat

Fri, 19 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description Initialization of a resource with an insecure default in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to disclose information over a network.
Title Microsoft Visual Studio Code CoPilot Chat Security Feature Bypass Vulnerability
First Time appeared Microsoft
Microsoft gihub Copilot Chat
Weaknesses CWE-1188
CPEs cpe:2.3:a:microsoft:gihub_copilot_chat:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft gihub Copilot Chat
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Gihub Copilot Chat Github Copilot Chat
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-19T20:28:35.395Z

Reserved: 2026-06-04T19:00:41.292Z

Link: CVE-2026-50519

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T23:15:05Z

Weaknesses
  • CWE-1188

    Initialization of a Resource with an Insecure Default