VS Code 1.109.0 Remote Code Execution Flaw: Workspace Trust Bypass for MCP Servers

A critical remote code execution vulnerability in Microsoft's Visual Studio Code editor exposes developers to potential attacks through a bypass of its workspace trust mechanism. The flaw, present in VS Code version 1.109.0 and earlier, allows malicious code to be executed because the editor did not consistently demand user trust before starting Model Context Protocol (MCP) servers. This failure to enforce the security boundary means that opening a project from an untrusted source could lead to the automatic execution of arbitrary code on a developer's machine without explicit consent.

The vulnerability, tracked as CVE-2026-21518, specifically involves the interaction with GitHub Copilot within untrusted workspaces. Microsoft has released a patch in VS Code version 1.109.1, which explicitly demands trust verification before initiating any MCP server. Until the update is applied, the primary workaround is to avoid using Copilot features on any untrusted project or workspace in the affected versions. The security advisory confirms the fix is now available, urging all users to upgrade immediately.

This flaw represents a significant lapse in the security model designed to protect developers from malicious repositories. It places the vast ecosystem of VS Code extensions and AI-powered tools like Copilot under scrutiny, highlighting how a single oversight in trust enforcement can create a direct path for remote code execution. The incident underscores the persistent security challenges in developer tooling, where convenience features must be balanced with robust isolation, especially as AI assistants become more deeply integrated into the coding workflow.