CVE-2026-30615: prompt injection rewrites Windsurf's MCP config into RCE

What is this?

On April 15, 2026, OX Security published a full-disclosure advisory covering a family of command-injection vulnerabilities tied to how applications handle Model Context Protocol (MCP) STDIO server configurations. One entry in that advisory is CVE-2026-30615, a prompt-injection-to-RCE issue in the Windsurf coding IDE (build 1.9544.26), published to the NVD the same day and rated CVSS 8.0 (High), with OX classifying its impact as critical.

The mechanism, per the NVD and GitHub advisory GHSA-wj2m-jvpr-64cq: when Windsurf processes attacker-controlled HTML content, embedded instructions can cause “unauthorized modification of the local MCP configuration and automatic registration of a malicious MCP STDIO server, resulting in execution of arbitrary commands without further user interaction.” It is filed under CWE-77 (Command Injection).

The detail that earned Windsurf the only CVE in OX’s “MCP config edit via prompt injection” family is the zero-click path: the model’s processing of untrusted content directly rewrites the MCP JSON config. Other coding assistants OX tested in the same family — Cursor, Claude Code, Gemini-CLI, GitHub Copilot — required at least one explicit user approval to edit the config file, which (by those vendors’ threat models) does not qualify as a vulnerability.

How it works

This is indirect prompt injection landing on a privileged side effect. No payload is reproduced here; the chain is a class, not a recipe.

Stage                       What happens
--------------------------  ------------------------------------------------
1. Untrusted content        Agent ingests attacker-controlled text: a web
                            page it browses, a README in a cloned repo, or a
                            tool description returned by a remote MCP server.
2. Injection                Hidden instructions in that content are treated
                            as directives by the model, not as data.
3. Config write             The directive steers the agent to modify the
                            LOCAL mcp config (JSON) — adding a new server
                            entry of transport type "stdio".
4. Server registration      The new STDIO entry carries a "command" + "args"
                            that the host runs as a subprocess [REDACTED].
5. Execution                On (auto-)launch, the host executes the command
                            with the privileges of the IDE process. RCE.

The root cause OX traces across the whole advisory is upstream of any single product: MCP STDIO configurations specify a command and args that get passed to a subprocess launcher (e.g. StdioServerParameters) without sanitization or an allowlist. STDIO transport is, by design, “run this local process.” When the path that writes that config can be reached by untrusted input — here, via the LLM’s own context window — config authority and code execution collapse into the same primitive. This is the same structural problem documented for MCP STDIO transport and for tool-name and find-by-name injection in other agents.

Why it matters

A coding IDE is a high-value host: it holds source, secrets, SSH keys, cloud credentials, and a shell. Turning content the agent merely reads into commands the host runs removes the human from the loop entirely — there is no malicious link to click and no dialog to dismiss. A poisoned README in a dependency you clone, or a crafted page the agent fetches while “researching,” is enough.

It also generalizes. OX’s advisory lists ten CVEs spanning four families (LangFlow, GPT Researcher, LiteLLM, Agent Zero, Fay, Bisheng, Jaaz, DocsGPT and others), all rooted in the same unsanitized STDIO-config pattern. Windsurf is simply the cleanest demonstration that the write path can be driven by prompt injection with no click. Several vendors declined to patch, calling direct command execution “by design” — which means the pattern will persist in the ecosystem, and the burden shifts to operators.

Defenses

1. Update Windsurf. Move off build 1.9544.26 to the current release. Treat the IDE like any other RCE-exposed endpoint in your patch SLA.
2. Make MCP config changes require explicit, informed consent. Any write to the MCP config — especially adding a stdio server — should demand a human approval that shows the command and args. A blind “allow file edit?” is not enough; the user must see what will run.
3. Allowlist STDIO commands, and audit the args. Restricting command to python/npm/npx is necessary but insufficient: OX bypassed such allowlists through argument flags (e.g. passing a command via an allowed launcher’s options). Constrain arguments too, or prefer non-STDIO transports.
4. Treat all retrieved content as untrusted data, never instructions. Apply the lethal trifecta lens: an agent that combines access to private data, exposure to untrusted content, and an exfiltration/execution channel is exploitable by design. Break one leg — sandbox the agent, strip its ability to write its own config, or isolate untrusted browsing.
5. Least privilege for the agent process. Run coding agents in a container or VM with no standing cloud credentials and a scoped filesystem, so that even a successful config rewrite yields a contained, low-value shell rather than full system compromise.
6. Monitor the config file. Watch mcp config paths for unexpected writes and new stdio entries; alert on subprocess spawns originating from the IDE that don’t match a known toolchain.

Status

Item	Reference	Date	Notes
OX Security advisory (10 CVEs)	OX Security	2026-04-15	Windsurf is family #3: “MCP config edit via prompt injection”
CVE-2026-30615 published	NVD (source: MITRE)	2026-04-15	CVSS 8.0 High, CWE-77; last modified 2026-04-17
GitHub advisory GHSA-wj2m-jvpr-64cq	GitHub Advisory DB	2026-04-15	Affected: Windsurf 1.9544.26
Comparable agents (no CVE)	OX Security	2026-04-15	Cursor, Claude Code, Gemini-CLI, Copilot — require user approval to edit config

The headline is not “an IDE had a bug.” It is that STDIO MCP config + untrusted model context = a remote code execution primitive, and Windsurf showed the write can be triggered with zero user interaction. The defensive job is to keep config-write authority and untrusted content on opposite sides of a boundary the model cannot cross on its own.