CVE-2026-47284: Visual Studio Code Information Disclosure Vulnerability (CVSS 6.5)
Visual Studio Code contains a flaw that can expose sensitive information to attackers over the network. An attacker can trick a user into performing an action that leads to the disclosure of confidential data, though the attacker cannot modify systems or interrupt services. This is a moderate-severity issue requiring user interaction to exploit.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-200
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Exposure of sensitive information to an unauthorized actor in Visual Studio Code allows an unauthorized attacker to disclose information over a network.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-47284 is an information disclosure vulnerability in Microsoft Visual Studio Code classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The vulnerability has a CVSS v3.1 score of 6.5 (MEDIUM severity) with a network attack vector, low attack complexity, no privilege requirements, and user interaction needed. The impact is limited to confidentiality; integrity and availability are not affected. The flaw allows unauthorized disclosure of sensitive data through network-accessible mechanisms without requiring prior authentication.
Business impact
Information disclosure vulnerabilities in developer tools pose significant business risk. Visual Studio Code is widely used across development teams, making it a potential pivot point for data exfiltration. Exposed information could include source code, credentials embedded in code or configurations, API keys, authentication tokens, or proprietary algorithms. While this specific vulnerability requires user interaction, the fact that it operates over the network means compromised data could be intercepted or sent to attacker-controlled systems. Organizations relying on VS Code for sensitive development should assess what data developers typically have open and what controls exist around credential handling.
Affected systems
Microsoft Visual Studio Code is the affected product. The vulnerability impacts users on any supported platform where VS Code runs (Windows, macOS, Linux). Organizations with developer populations using VS Code are at risk, particularly those where developers work with sensitive source repositories, configuration files containing secrets, or proprietary algorithms. The degree of exposure depends on organizational development practices and whether secrets management tools are enforced.
Exploitability
The vulnerability is exploitable over a network without authentication, but requires user interaction—likely clicking a malicious link, opening a specially crafted file, or accepting a connection. Exploitation is not trivial; an attacker must socially engineer a developer or deliver a targeted payload. The attack is not wormable or self-propagating. The CVSS vector (AV:N/AC:L/PR:N/UI:R) indicates relatively straightforward exploitation mechanics once user interaction occurs, but practical exploitation in the wild would depend on the specific data available in the target's environment and the attacker's ability to retrieve it.
Remediation
Microsoft has released a patch for CVE-2026-47284. Update Visual Studio Code to the latest stable version from Microsoft's official channels (Microsoft Store, Visual Studio Code website, or your organization's package manager). Verify the update in VS Code via Help > About to confirm the patched version is running. No known workarounds are available; patching is the primary remediation. Additionally, review and enforce credential management practices—use VS Code extensions for secret scanning, implement pre-commit hooks, and educate developers on avoiding hardcoded credentials.
Patch guidance
Install updates for Visual Studio Code as soon as they become available. Verify the current installed version via Help > About in VS Code. If your organization uses centralized deployment (enterprise SCCM, Intune, or similar), coordinate with systems administration to push the patched version. Users on auto-update should receive the fix automatically, but verify after updating. For offline or air-gapped environments, download the patched installer from Microsoft's official repository and deploy through your change management process.
Detection guidance
Monitor for abnormal data exfiltration or unusual network connections from developer machines running VS Code. Look for unexpected outbound connections to non-organizational domains, especially from processes spawned by or associated with VS Code. Review VS Code extension activity—malicious extensions could amplify this vulnerability. Check application logs and security information and event management (SIEM) systems for evidence of VS Code being used to access or transmit sensitive files. Endpoint Detection and Response (EDR) tools should flag suspicious file access patterns by VS Code or unusual clipboard/network activity.
Why prioritize this
Prioritize this vulnerability as MEDIUM-HIGH for developer-focused organizations. While the CVSS score is 6.5, the business context matters: VS Code is ubiquitous in software development, and developers frequently have access to highly sensitive intellectual property, credentials, and source code. The network-accessible nature and requirement for only user interaction (not privilege escalation) make it a realistic threat in targeted campaigns against development teams. Organizations should patch this within 30 days and review their secret management posture concurrently.
Risk score, explained
The CVSS v3.1 score of 6.5 reflects a network-accessible vulnerability with low attack complexity and user interaction but high confidentiality impact and no integrity or availability impact. The score is appropriate for an information disclosure flaw with moderate exploitability. However, business risk assessment should weight the widespread use of VS Code, the high value of data typically available to developers, and the potential for targeted social engineering. Risk may be elevated in organizations with weak credential management or those handling especially sensitive intellectual property.
Frequently asked questions
Does this vulnerability allow an attacker to execute code or take control of my system?
No. CVE-2026-47284 is an information disclosure vulnerability only. It allows unauthorized access to sensitive data, not code execution, privilege escalation, or system takeover. Integrity and availability of the system remain protected.
Can this vulnerability spread automatically, like a worm?
No. The vulnerability requires an attacker to trick a user into performing a specific action (such as clicking a link or opening a file). It is not self-propagating and cannot spread across networks on its own.
What should developers avoid to prevent exploitation?
Avoid clicking suspicious links or opening untrusted files from unfamiliar sources in VS Code. Do not disable security extensions or ignore warnings about untrusted repositories. More importantly, practice good credential hygiene—use a secrets manager, avoid hardcoding credentials in files, and enable pre-commit scanning to catch accidental secret commits.
Do I need to reinstall VS Code, or is an update enough?
A standard update is sufficient. Close all VS Code instances and update through your normal update mechanism (auto-update, Microsoft Store, or manual download). Reinstalling is not necessary unless the update fails to apply.
This analysis is based on publicly available information as of the publication date. CVSS scores, vulnerability status, and patch availability are subject to change. Verify all patch versions and availability against Microsoft's official security advisories and release notes before deploying in your environment. This content is for informational and educational purposes and should not be construed as professional security or legal advice. Organizations should conduct their own risk assessment based on their specific systems, data, and threat landscape. SEC.co does not provide warranties regarding the completeness or accuracy of third-party vendor statements referenced herein. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11162MEDIUMChrome CSS Cross-Origin Data Leak Vulnerability
- CVE-2026-11168MEDIUMChrome Extension Memory Disclosure Vulnerability
- CVE-2026-11180MEDIUMChrome SVG Cross-Origin Data Leak – Patch & Mitigation Guide
- CVE-2026-11182MEDIUMChrome SVG Cross-Origin Data Leak Vulnerability
- CVE-2026-11209MEDIUMGoogle Chrome Password Memory Disclosure (CVSS 6.5)
- CVE-2026-11271MEDIUMChrome Password Feature Information Disclosure Vulnerability
- CVE-2026-42906MEDIUMWindows Shell Information Disclosure Vulnerability
- CVE-2026-42907MEDIUMWindows Shell Information Disclosure (CVSS 6.5)