Imagine opening a website — just a normal-looking webpage — and silently handing a stranger complete control over your computer. That's not a hypothetical anymore.
Who's at Risk — and How Many People That Is
Windsurf, the AI-powered code editor built by Codeium, has rapidly become one of the most popular tools in the developer ecosystem, with hundreds of thousands of engineers worldwide relying on it daily to write, debug, and ship software. These aren't casual users — they're the people who build the apps your bank runs on, the platforms your company depends on, and the tools you use every day. A compromised developer machine isn't just a personal problem; it's a supply chain problem that can ripple outward to every piece of software they touch.
The vulnerability, tracked as CVE-2026-30615, carries a CVSS score of 8.0 (HIGH) and affects Windsurf version 1.9544.26 across all major operating systems — Windows, macOS, and Linux. No active exploitation has been confirmed yet, but security teams are being urged to act quickly before that changes.
What an Attacker Can Actually Do to You
Here's the scenario in plain terms. You're a developer using Windsurf. Someone — maybe through a phishing email, a poisoned documentation site, or a malicious open-source project — gets you to load some HTML content inside the editor. It could look completely innocent. There's no suspicious file to download, no permission dialog to click through. But hidden inside that HTML is a set of instructions written not for you, but for Windsurf's AI brain. The AI reads those instructions and obeys them, believing they're legitimate.
Those hidden instructions tell Windsurf to quietly rewrite a configuration file on your machine — specifically, the settings that control which external tools and services Windsurf is allowed to connect to and run. The attacker's instructions register a new "tool" of their choosing: a malicious program that Windsurf will now launch automatically, as if it were a trusted part of your workflow. From that moment forward, the attacker's code is running on your machine with your permissions, without you ever clicking "yes" to anything.
What can they do once they're in? Essentially anything you can do. Read your source code, your API keys, your SSH credentials, your browser cookies. Exfiltrate intellectual property. Plant backdoors in the code you're about to commit and push to a shared repository — quietly infecting every developer who pulls it next. Or simply use your machine as a launchpad to pivot deeper into your company's internal network. The blast radius here extends far beyond the individual developer who opened that webpage.
The Technical Anchor: MCP STDIO Server Hijacking
For the security researchers in the room: the root cause is a prompt injection vulnerability in Windsurf's HTML content processing pipeline. Attacker-controlled HTML is parsed in a context where embedded natural-language instructions are interpreted as authoritative directives by the AI model. This allows an attacker to achieve unauthorized modification of the local MCP (Model Context Protocol) configuration, specifically enabling the automatic registration of a malicious MCP STDIO server. Because STDIO server entries in the MCP config are executed without further user confirmation, command execution follows immediately and persistently — surviving editor restarts. The vulnerability class is prompt injection leading to arbitrary command execution via config poisoning, and it requires no pre-existing access or elevated privileges to trigger.
Discovery, Exploitation Status, and Known Campaigns
At the time of publication, no active exploitation in the wild has been confirmed. The vulnerability has been disclosed with a CVE assignment and a HIGH severity rating, suggesting it passed through a coordinated disclosure process. However, the mechanics of this flaw are not especially exotic — the attack surface is well-understood by offensive security researchers, and the gap between "published CVE" and "weaponized exploit" has historically been very short for developer tooling vulnerabilities, which are high-value targets for both cybercriminal groups and nation-state actors conducting software supply chain operations.
Developer tools have become a favored entry point precisely because developers are trusted insiders with broad access to production systems and code repositories. Previous campaigns targeting tools like VS Code extensions, npm packages, and JetBrains IDEs have demonstrated exactly how damaging this attack surface can be. CVE-2026-30615 fits neatly into that same threat model.
What You Should Do Right Now
- Update Windsurf immediately. Version 1.9544.26 is the confirmed vulnerable release. Open Windsurf, navigate to Help → Check for Updates (or your OS equivalent), and install any available patch. If no update is yet available in your channel, consider pausing use of the editor for untrusted content processing until a patched version is confirmed.
-
Audit your MCP configuration file right now. Locate your Windsurf MCP config (typically found at
~/.codeium/windsurf/mcp_config.jsonon Linux/macOS or the equivalent AppData path on Windows). Open it in a text editor and review every registered server entry. If you see any STDIO server entries you don't recognize or didn't explicitly add yourself, remove them immediately, then run a full malware scan of your system. - Treat all HTML content rendered inside Windsurf as untrusted. Until a patch is confirmed and deployed, avoid opening HTML files, previews, or documentation from sources you don't fully control inside the editor. Apply the same skepticism to README files from unfamiliar repositories — they can also contain attacker-crafted content. Report any suspicious configuration changes to your security team immediately rather than attempting to remediate alone.
CVE-2026-30615 | CVSS 8.0 HIGH | Affects Windsurf 1.9544.26 | Cross-platform | No active exploitation confirmed at time of publication.