Resource Center
/
Reports
/
Envade: Full Technical Report

Envade: A Hidden env Becomes a One-Click RCE in VS Code

A developer clicks a link. The install dialog shows five fields. Five more are silently written to settings, including the attacker's payload. The next time the MCP server starts, arbitrary code runs.

Oasis Security researchers identified a vulnerability (CVE-2026-41613) in Visual Studio Code's MCP install dialog. The preview displays only a curated subset of the fields it persists. Hidden env, envFile, cwd, and headers entries pass through untouched.

Chained with Node.js's NODE_OPTIONS and --import, a single click on a crafted deeplink produces full remote code execution. The same gap enables a second attack: silent session hijacking via planted HTTP headers.

What you can do today:

  • Update VS Code to 1.119.1 or later immediately
  • Audit mcp.json files for env, envFile, headers, or cwd entries you didn't add
  • Govern AI agent identities with the same rigor as human users and service accounts
Read now
Envade: Full Technical Report
Share

Related Content

See All Resources
Iceberg diagram showing VS Code MCP install dialog above water with hidden fields env, envFile, headers, cwd, and dev concealed below the surface
Blog

Envade: One Click in VS Code, Full Shell for the Attacker

AI Access Management