CVE-2026-23653: GitHub Copilot and Visual Studio Code Information Disclosure Vulnerability

Overview

Severity

Medium (CVSS 5.7)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

Category

Information Disclosure

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2026-Apr

Released

2026-04-14

Description

Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio Code allows an authorized attacker to disclose information over a network.

FAQ

What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could disclose the contents of the Model Context Protocol (MCP) when using Copilot.

Affected Products (1)

Developer Tools

• Microsoft Visual Studio Code CoPilot Chat Extension

Security Updates (1)

• Release Notes

Acknowledgments

Jose Rodrigo Sanchez Vicarte with Microsoft, Jose Rodrigo Sanchez Vicarte with Microsoft

Revision History

• 2026-04-14: Information published.