TL;DR

CVE-2026-30615 (CVSS 8.0 High, but called out as zero-click) lets a remote attacker achieve RCE on a host running Windsurf ≤ 1.9544.26 by injecting instructions that cause unauthorized modification of mcp.json and automatic registration of an attacker-controlled MCP server — with no user interaction. Of the four major AI IDEs OX Security tested (Windsurf, Cursor, Claude Code, Gemini-CLI), only Windsurf had a fully zero-click path.

What happened

OX Security audited the MCP write-paths in major AI coding tools and found a class-wide vulnerability — prompt-injectable content read by the agent could trigger writes to the user's MCP configuration file (mcp.json), which is then auto-loaded and the new server's command executed.

  • Windsurf: zero user interaction required. Filed as CVE-2026-30615. Patched in versions > 1.9544.26.
  • Cursor / Claude Code / Gemini-CLI: the same class of write-path bug existed; Google, Microsoft, and Anthropic declined to issue CVEs, arguing that "explicit user permission" is required to modify the files. Researchers contest this — the path is exploitable in practice with realistic agent configurations.

This is the same class as Cursor's CurXecute/MCPoison. The MCP trust model — the user must approve any new server entry — keeps getting bypassed because the trust check runs after the file write, not before.

Am I affected?

# Check Windsurf version
windsurf --version
# Or via the IDE: Help → About

If Windsurf ≤ 1.9544.26 was ever connected to an MCP server that ingests content from the public internet, public Slack channels, GitHub issues, customer-submitted data, or similar — assume the path could have been exploited. Update.

# Audit your mcp.json for entries you didn't add
cat ~/.windsurf/mcp.json 2>/dev/null
cat ~/.codeium/mcp.json 2>/dev/null   # older config location

If you are affected

  1. Update Windsurf past 1.9544.26 immediately.
  2. Audit mcp.json for unknown entries. Delete anything you don't actively use; for entries you keep, confirm the command matches what you originally approved.
  3. Treat outbound activity from any unknown MCP as compromise. Rotate credentials handled by that MCP and any cloud creds reachable from the host.
  4. If you also use Cursor / Claude Code / Gemini-CLI: same audit applies — even though vendors didn't issue CVEs, the pattern (MCP-injected mcp.json modification) is real. Keep all four tools current and avoid connecting MCPs to user-generated-content surfaces.

Prevention

prevention/mcp-hygiene.mdprevention/agent-sandboxing.md — run agents in a devcontainer so even a successful RCE is sandboxed.

Pattern to internalize: any AI tool that writes to its own configuration file based on instructions in fetched content is a candidate for this class. Defense: lock down what content the agent can fetch, and review every mcp.json change.

Sources