VS Code MCP install flow had hidden fields, and it just got a CVE

Oasis Security Research disclosed a vulnerability in the Visual Studio Code Model Context Protocol install flow on June 25, tracked as CVE-2026-41613, that lets an attacker push hidden configuration fields alongside the five fields a developer sees in the preview dialog. The fix shipped in VS Code 1.119.1, but most organizations have not audited the MCP configurations their developers already have on disk.

The disclosure lands in the middle of a security story that has been building for months. The Model Context Protocol has gone from a niche standard to the connective tissue between AI assistants and the rest of a developer's machine, in the same period that security teams have started treating the MCP server as a non-human identity with real credentials and real blast radius. The Oasis team has now published three of these disclosures, following the OpenClaw research in March and a Claude AI platform issue in May, and each one has hit the same soft spot in the install path: a UI that shows the developer enough to click Install, and not enough to know what they are installing.

The gap behind the VS Code MCP install dialog

The VS Code MCP install flow is built around a single decision point. A developer clicks an install link, the editor opens a preview dialog that lists the configuration about to be written into the workspace, the developer reviews it, and presses Install. That dialog is the only security boundary in the flow. The Oasis Security Research Team found that the dialog rendered five visible fields and silently persisted five more: environment variables, environment files, HTTP headers, working directory settings, and developer flags. None of the hidden fields appeared anywhere in the preview. The attacker's payload was never shown to the user.

The research traces the gap to a UI design that prioritized the common case. Most MCP servers in the wild are simple, and the five visible fields cover the simple case cleanly. The five hidden fields cover the cases that actually matter for an attacker: a NODE_OPTIONS value containing --import that runs attacker code on startup, a pre-populated Authorization header that ships the developer's session to a server the attacker controls, and working directory and dev flag settings that change what the server can see on the host. The Oasis team confirmed all five hidden fields in a working exploit against a current pre-fix VS Code build, and reported the issue to Microsoft under coordinated disclosure before publishing.

The disclosure is a research-driven disclosure, not a real-world campaign. There is no indication that any of the disclosed payloads have been seen in the wild, and the disclosed exploit chain was tested only against a developer-controlled environment. The fix is already on the stable channel. The urgency is not about an active attacker; it is about the size of the install base and the speed at which MCP servers are being added to workspaces that are several months old.

What the VS Code CVE means for every install

The vulnerability enables two distinct attacks from the same install link. The first is full remote code execution. Node.js programs read certain environment variables at startup, before any of their own code runs, so an attacker who can plant hidden variables controls what the program does first. Embedding a malicious NODE_OPTIONS value inside an install link for a legitimate, recognizable MCP server is enough: the user sees a trustworthy-looking preview, presses Install, and hands the attacker code execution on the machine. The configuration persists in the workspace, so the foothold survives restarts and reboots.

The second attack requires no code at all. The HTTP authorization header, which is attached to every request the MCP server sends, was also hidden from the preview. An attacker can pre-populate it with their own credentials before sharing the install link. From that point forward, every action the developer's AI assistant takes through that tool happens inside the attacker's account, not the developer's. There is no password prompt, no login screen, and no visible difference in the editor. The AI assistant is just quietly working for someone else, and the developer has no way to know until the next authentication error or quota surprise surfaces.

The two attacks share a property that security teams should plan for: they both bypass the developer, not the editor. The editor did exactly what it was told. The preview dialog showed the developer the parts of the configuration that the editor had been told to show. The hidden fields are not a bug in the rendering, they are a gap in the model. The same MCP install flow, with five more fields surfaced, would have caught both attacks because the developer would have seen the suspicious NODE_OPTIONS value or the unexpected Authorization header and not clicked Install. The fix in 1.119.1 surfaces the five hidden fields in the preview dialog, and the security boundary is now the one the developer always thought it was.

The install link is the supply chain in 2026

The broader pattern in the Oasis research is the one the MCP supply chain piece from last week laid out. Seventy-one percent of public MCP packages have a single maintainer, and most install links in the wild are not signed. A developer who clicks an install link from a GitHub readme, a community forum, or a chat thread is trusting the link's owner, not the package's author, not the editor, and not the protocol. The CVE-2026-41613 disclosure makes that trust gap concrete: the attacker does not need to compromise the package, the maintainer, or the editor, they only need to ship an install link that hides what it actually installs.

For a security team, the steps are short. Update VS Code to 1.119.1 or later across the developer fleet. Audit existing MCP configurations in every workspace, looking specifically for env and envFile entries, working directory settings, HTTP headers on HTTP-type servers, and NODE_OPTIONS values containing --import. The Oasis team also recommends treating MCP servers as non-human identities for governance purposes, with intent analysis, policy enforcement, just-in-time access, and a full audit trail. The wider reference for the agent tooling stack that depends on retrieval like this is on the Best AI Coding Agents in 2026 resource, and the full disclosure, with the working exploit chain and the recommended hardening steps, is on the Cybersecurity Insiders piece by Elad Luz at Oasis Security.