CVE-2026-30615
Published: 15 April 2026
Summary
CVE-2026-30615 is a high-severity Command Injection (CWE-77) vulnerability in Ox (inferred from references). Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 18.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 validates attacker-controlled HTML content before processing, directly preventing prompt injection that leads to MCP configuration modification and arbitrary command execution.
SI-2 requires timely remediation of the specific flaw in Windsurf version 1.9544.26, eliminating the vulnerability enabling unauthorized MCP changes and RCE.
CM-5 authorizes and restricts changes to the local MCP configuration, mitigating unauthorized modifications induced by the prompt injection vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Prompt injection enables local config modification to register malicious STDIO server for arbitrary command execution (T1059) via app exploitation (T1190) and system process creation (T1543).
NVD Description
A prompt injection vulnerability in Windsurf 1.9544.26 allows remote attackers to execute arbitrary commands on a victim system. When Windsurf processes attacker-controlled HTML content, malicious instructions can cause unauthorized modification of the local MCP configuration and automatic registration of a…
more
malicious MCP STDIO server, resulting in execution of arbitrary commands without further user interaction. Successful exploitation may allow attackers to execute commands on behalf of the user, persist malicious MCP configuration changes, and access sensitive information exposed through the application.
Deeper analysisAI
CVE-2026-30615 is a prompt injection vulnerability affecting Windsurf version 1.9544.26. The flaw occurs when Windsurf processes attacker-controlled HTML content, enabling malicious instructions to unauthorizedly modify the local MCP configuration and automatically register a malicious MCP STDIO server. This results in the execution of arbitrary commands on the victim system without further user interaction. The vulnerability is rated with a CVSS v3.1 base score of 8.0 (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H) and is associated with CWE-77 (Command Injection).
Remote attackers can exploit this vulnerability by supplying malicious HTML content for processing by Windsurf. No privileges are required (PR:N), and exploitation requires low complexity with no user interaction (UI:N). Successful attacks allow execution of arbitrary commands on behalf of the user, persistence of malicious MCP configuration changes, and access to sensitive information exposed through the application.
The primary advisory reference is available at https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/, which discusses MCP supply-chain RCE vulnerabilities across the AI ecosystem. Specific mitigation details, such as patches, are not detailed in the provided CVE information.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: prompt injection, mcp, mcp, mcp