CVE-2026-45555: Roslyn CodeLens MCP Server Arbitrary Code Execution via Malicious Diagnostic Analyzers
Roslyn CodeLens MCP Server, a tool that provides intelligent code analysis for .NET projects, contains a critical flaw in how it handles diagnostic analyzers. When you open a .NET solution, the server automatically loads and runs all diagnostic analyzer assemblies referenced in the project files without checking whether they're legitimate. An attacker can exploit this by crafting a malicious project file that references a malicious DLL. When a developer opens that project with the MCP server, the attacker's code runs with the same privileges as the server process, potentially compromising the entire development environment.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-94
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
Roslyn CodeLens MCP Server is a Roslyn-based MCP server providing semantic code intelligence for .NET codebases. From 0.0.9 to 1.17.0, the get_diagnostics MCP tool loads and executes all DiagnosticAnalyzer assemblies referenced by the target solution without any allowlist, signature check, or user confirmation; includeAnalyzers defaults to true, so no explicit opt-in is required. An attacker who can place a malicious .csproj referencing an attacker-controlled DLL in a location the victim opens with the MCP server will achieve arbitrary code execution in the server process with the server's OS privileges. This vulnerability is fixed in 1.17.0.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45555 affects the get_diagnostics MCP tool within Roslyn CodeLens MCP Server versions 0.0.9 through 1.17.0. The vulnerability stems from unchecked loading of DiagnosticAnalyzer assemblies specified in .csproj files. The root cause is the absence of validation mechanisms—no signature verification, allowlist enforcement, or explicit user confirmation occurs before assembly execution. The includeAnalyzers parameter defaults to true, meaning malicious analyzers load automatically without requiring developer opt-in. The attack surface is the local filesystem; an attacker places a compromised .NET project containing a malicious .csproj referencing an attacker-controlled DLL in a directory the victim accesses with the MCP server. Upon loading the solution, arbitrary code execution occurs in the server's process context. This is classified as improper control of dynamically managed code objects (CWE-94).
Business impact
For development teams using Roslyn CodeLens MCP Server, compromise of the development environment can lead to supply chain attacks. An attacker executing code in the server process gains access to source code repositories, credentials stored in the development environment, build artifacts, and potentially CI/CD pipeline tokens. This could result in injection of malicious code into released software, theft of proprietary source code, or establishment of persistent backdoors in compiled binaries. Organizations relying on this tool for semantic code intelligence in large .NET codebases face heightened risk of development pipeline contamination if untrusted projects are opened.
Affected systems
Roslyn CodeLens MCP Server versions 0.0.9 through 1.17.0 are affected. Version 1.17.0 contains the fix. Any development environment running an affected version and opening .NET solutions—whether from internal sources, third-party contributions, or dependency repositories—is vulnerable if a malicious .csproj file is included in the solution tree. The vulnerability applies across all operating systems where the MCP server runs (Windows, macOS, Linux).
Exploitability
The vulnerability has moderate exploitability barriers but high impact once triggered. An attacker requires the ability to introduce a malicious .csproj file into a location where a developer will open it with the MCP server—achieved through compromised repositories, pull requests, dependency injection, or social engineering. User interaction is required: the developer must open the affected project. However, no technical sophistication is needed to craft the malicious .csproj; standard .NET tooling suffices. Once the condition is met, code execution is immediate and reliable. The default configuration (includeAnalyzers=true) eliminates any accidental protection from non-adoption.
Remediation
Upgrade Roslyn CodeLens MCP Server to version 1.17.0 or later immediately. This version includes fixes that enforce proper validation of diagnostic analyzer assemblies. Until patched, mitigate risk by restricting where the MCP server process runs (isolated development environments), carefully reviewing all .NET projects opened with the server, disabling the get_diagnostics tool if unused, or setting includeAnalyzers to false in server configuration if that option is available. Do not open untrusted or unfamiliar .NET solutions with an affected MCP server instance.
Patch guidance
Apply the upgrade to version 1.17.0 or later as soon as possible. Verify compatibility with your development environment and integration with any MCP clients or language server protocol editors. Test the patched version with representative .NET projects to ensure no regressions in diagnostic analysis functionality. Monitor vendor advisories for any follow-up guidance. Organizations should prioritize this patch for development machines and shared development infrastructure.
Detection guidance
Monitor for unexpected child processes spawned by the Roslyn CodeLens MCP Server process, particularly .NET compilation tools or PowerShell executions originating from analyzer assembly loading. Log and audit which .csproj files are opened and which diagnostic analyzers are referenced. Review recent projects added to development environments for suspicious .csproj entries referencing external or unfamiliar DLL paths. Use EDR (endpoint detection and response) tools to flag code execution from the MCP server process outside expected diagnostic analysis workflows. Inspect solution files in version control for newly introduced or modified .csproj analyzer references.
Why prioritize this
This vulnerability warrants immediate prioritization despite not yet appearing in CISA's known exploited vulnerabilities catalog. The combination of local code execution, default-enabled exploitation path (includeAnalyzers=true), and supply chain implications creates substantial risk. Development environments are prime targets for persistent compromise. The attack requires only filesystem access and social engineering, not sophisticated exploitation techniques. Organizations using Roslyn CodeLens MCP Server should treat this as critical and patch all affected instances within days, not weeks.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) reflects high impact—confidentiality, integrity, and availability are all compromised—combined with low attack complexity and no privileges required. The local attack vector limits immediate scope but does not diminish the risk given development environment compromise enables downstream supply chain attacks. The user interaction requirement prevents wormable propagation but is easily satisfied through social engineering. The score appropriately reflects a serious vulnerability meriting urgent remediation.
Frequently asked questions
Does this vulnerability affect runtime execution of .NET applications, or only development tooling?
This vulnerability affects only the development tooling—specifically the Roslyn CodeLens MCP Server process. End-user applications and runtime .NET installations are not directly affected. However, if an attacker achieves code execution in the development environment, they can modify source code or compiled binaries before deployment, indirectly compromising production systems.
Can this be exploited remotely, or only if an attacker has local filesystem access?
Exploitation requires local filesystem access to introduce a malicious .csproj file. However, the barrier is low: an attacker can achieve this through a compromised Git repository, a pull request containing malicious project files, a shared network drive, or a downloaded solution bundle. The attack is not remotely exploitable in the traditional sense of network protocol exploitation.
What is the difference between upgrading to 1.17.0 versus simply not opening untrusted projects?
Upgrading eliminates the vulnerability entirely by adding validation that prevents malicious analyzers from executing. Avoiding untrusted projects is a behavioral mitigation but remains prone to human error, supply chain surprises, and insider threats. Patching is the authoritative fix and should not be deferred in favor of manual controls.
If includeAnalyzers is set to false, is the server still vulnerable?
Setting includeAnalyzers to false would disable automatic loading of analyzers, which would mitigate this specific attack vector. However, verify this configuration option exists in your version and functions as intended. Patching to 1.17.0 is still strongly recommended as the authoritative fix rather than relying on workaround configurations.
This analysis is provided for informational purposes based on available vulnerability data as of the publication date. Patch version numbers and remediation guidance should be verified against official vendor advisories and release notes before deployment. Organizations should conduct their own risk assessment based on their specific deployment of Roslyn CodeLens MCP Server and integration points. No exploit code or weaponized proof-of-concept is provided. Testing patches in non-production environments is strongly recommended before enterprise rollout. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10904HIGHChrome V8 Sandbox Escape Remote Code Execution
- CVE-2026-10928HIGHScript Injection in Google Chrome Headless – CVSS 8.8 High Severity
- CVE-2026-1829HIGHContent Visibility for Divi Builder Plugin RCE (v4.02 and below)
- CVE-2026-41249HIGHCoreShop GitHub Actions RCE via Malicious Pull Request
- CVE-2026-42588HIGHApache ActiveMQ Remote Code Execution via Jolokia Code Injection
- CVE-2026-44698HIGHHome Assistant Companion App Token Theft Vulnerability
- CVE-2026-45353HIGHElecterm Terminal Client Local Privilege Escalation Vulnerability
- CVE-2026-45505HIGHApache ActiveMQ Code Injection Vulnerability—Exploit & Patch Guidance