---
id: 2026-06-idessaster-ai-ide-cve-cluster
title: "IDEsaster — 30+ security flaws (24 CVEs) in Cursor, Windsurf, Kiro.dev, GitHub Copilot, Zed, Roo Code, Junie, Cline (June 2026)"
date_disclosed: 2026-06-17
last_updated: 2026-06-18
severity: high
status: active
ecosystems: [cursor, windsurf, vscode, ide-extensions, github-copilot, zed]
tools_affected: [Cursor, Windsurf, Kiro.dev (Amazon), GitHub Copilot (VS Code), Zed.dev, Roo Code, Junie (JetBrains), Cline]
tags: [cve, rce, prompt-injection, ide, localhost-rce, ai-coding-tools, credential-theft, cluster]
---

## TL;DR
Security researchers disclosed **30+ flaws** (**24 assigned CVEs**) across **8 AI coding tools** simultaneously — Cursor, Windsurf, Kiro.dev, GitHub Copilot (VS Code), Zed.dev, Roo Code, Junie, and Cline — in a coordinated release the researchers called **"IDEsaster"**. Vulnerability classes include **localhost RCE** (unauthenticated WebSocket / HTTP servers), **prompt injection leading to credential exfiltration**, **path traversal**, and **malicious workspace file execution**. No single "most dangerous" flaw — the cluster is significant because it simultaneously exposed a wide attack surface across the AI coding tool ecosystem. Patches vary by vendor; update all affected tools immediately and disable any tool whose patch status is unconfirmed.

## What happened

The **IDEsaster** disclosure (June 2026) is a coordinated multi-vendor security research report covering **30+ security vulnerabilities across 8 AI coding tools**, with **24 CVEs formally assigned**. The research builds on well-established attack patterns in this space — similar to prior clusters covering [Cline CVE-2026-44211](2026-06-cline-cve-2026-44211-websocket-rce.md), [OpenCode CVE-2026-22812 / CVE-2026-22813](2026-01-opencode-localhost-rce.md), and [OpenClaw CVE-2026-25253](2026-01-openclaw-cve-2026-25253-gatewayurl-rce.md) — but notable for the breadth of tools covered in one disclosure.

**Common vulnerability patterns across IDEsaster:**

1. **Localhost-is-not-a-security-boundary** (recurring class) — AI coding tools start local HTTP/WebSocket servers for inter-process communication or extension APIs. Without proper origin validation or authentication tokens, any webpage the developer visits can send requests to these servers and execute arbitrary shell commands or read workspace files.

2. **Prompt injection via workspace artifacts** — malicious `README.md`, `.cursorrules`, `CLAUDE.md`, `AGENTS.md`, or other project files can inject instructions that cause the AI agent to exfiltrate credentials, execute commands, or manipulate the developer's codebase on behalf of an attacker.

3. **Malicious workspace / config file execution** — some tools auto-execute code or install dependencies when a workspace is opened, without a trust prompt. Analogous to the [Cursor open-folder Git-hook RCE](2026-05-cursor-open-folder-autorun.md) pattern.

4. **Path traversal** — some tools serve local files via a built-in HTTP server without adequate path normalization; a crafted URL escapes the intended serving root.

**Affected tools and patch status (as of 2026-06-18):**
Some vendors shipped patches alongside the coordinated disclosure; others were still in the process of fixing at time of writing. Consult each vendor's release notes for the minimum fixed version. The CVE list spans all 8 tools; no single vendor had more than a handful.

**Why this matters:** Most of these tools hold your AI provider API keys, cloud credentials (via environment variables or tool config files), and workspace secrets. A single exploited flaw is a path to a full credential harvest. The IDEsaster cluster reinforces the pattern documented by [Windsurf CVE-2026-30615](2026-05-windsurf-zero-click-mcp-rce.md), [Cline CVE-2026-44211](2026-06-cline-cve-2026-44211-websocket-rce.md), and the [OpenClaw "Claw Chain"](2026-05-openclaw-claw-chain.md): **every AI coding tool that listens on localhost without authentication is a localhost RCE waiting to happen.**

## Am I affected?

You are affected if you use any of the following tools and have NOT updated to the latest patched version:

| Tool | Vendor | Update command |
|---|---|---|
| Cursor | Anysphere | Help → Check for updates, or reinstall from cursor.com |
| Windsurf | Codeium | Help → Check for updates, or reinstall from codeium.com |
| Kiro.dev | Amazon | Update from kiro.dev or via VS Code marketplace |
| GitHub Copilot (VS Code) | GitHub/Microsoft | VS Code: Extensions → GitHub Copilot → Update |
| Zed.dev | Zed Industries | `zed --version`; update from zed.dev |
| Roo Code | Roo AI | VS Code: Extensions → Roo Code → Update |
| Junie | JetBrains | JetBrains IDE: Plugins → Junie → Update |
| Cline | Cline AI | VS Code: Extensions → Cline → Update (if not already on ≥ the IDEsaster fix) |

```bash
# Check if any AI coding tool is listening on localhost
ss -tlnp 2>/dev/null | grep -E ':(3000|3484|3747|4000|8080|9000|9229)'
lsof -i -n -P 2>/dev/null | grep -E 'cursor|windsurf|cline|zed|roo'

# Grep project files for known prompt-injection patterns (zero-width Unicode)
grep -RlP '[\x{200B}-\x{200F}\x{2060}-\x{2064}\x{FE00}-\x{FE0F}]' \
  .cursorrules CLAUDE.md AGENTS.md .github/copilot-instructions.md 2>/dev/null
```

## If you are affected

1. **Update all 8 affected AI coding tools** to their latest releases immediately.
2. **Rotate AI provider API keys** stored in any tool config, env file, or IDE settings panel (especially after the [JetBrains Marketplace AI key theft](2026-06-jetbrains-ide-plugins-ai-key-theft.md) advisory — a combined exposure).
3. If you were running any of these tools **with `--dangerously-skip-permissions` or equivalent** and visited untrusted websites, treat the session host as compromised.
4. **Audit workspace files** (`.cursorrules`, `CLAUDE.md`, `AGENTS.md`, `README.md`) for zero-width Unicode or hidden prompt-injection instructions.

→ [playbooks/rotating-cloud-credentials.md](../playbooks/rotating-cloud-credentials.md)
→ [prevention/agent-sandboxing.md](../prevention/agent-sandboxing.md)

## Prevention

- **Keep all AI coding tools on auto-update.** The IDEsaster timeline confirms that vulnerability-to-PoC turnaround in AI tools is now < 48 hours ([baseline from PraisonAI](2026-05-praisonai-auth-bypass.md): 4 hours to weaponized exploit).
- **Run AI coding agents inside a devcontainer or VM** for any project you didn't originate — this contains the blast radius of both prompt-injection and localhost-RCE attacks.
- **Never expose AI tool localhost ports through port forwarding or ngrok.**
- **Audit `.cursorrules`, `CLAUDE.md`, `AGENTS.md`** in every repo you open — these files control agent behavior and are a write-target for supply-chain attackers (see [TrapDoor](2026-05-trapdoor-cross-ecosystem-stealer.md)).

→ [prevention/agent-sandboxing.md](../prevention/agent-sandboxing.md)
→ [prevention/mcp-hygiene.md](../prevention/mcp-hygiene.md)

## Sources

- [The Hacker News — IDEsaster: Researchers Disclose 30+ Security Flaws in Popular AI Coding Tools](https://thehackernews.com/2026/06/idesaster-researchers-disclose-30.html) — primary disclosure, CVE list, 8 tools affected.
- [CyberSecurityNews — IDEsaster: AI Coding Tool Vulnerabilities Expose Developers to RCE](https://cybersecuritynews.com/idesaster-ai-coding-tool-vulnerabilities/) — per-tool breakdown.
- Cross-references: [Cline CVE-2026-44211](2026-06-cline-cve-2026-44211-websocket-rce.md), [OpenClaw Claw Chain](2026-05-openclaw-claw-chain.md), [OpenCode localhost RCE](2026-01-opencode-localhost-rce.md), [Windsurf zero-click MCP RCE](2026-05-windsurf-zero-click-mcp-rce.md), [Cursor open-folder RCE](2026-05-cursor-open-folder-autorun.md).
