Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.
What privileges could be gained by an attacker who successfully exploited the vulnerability? A successful attacker could obtain the permissions associated with the MCP Server’s managed identity. This may allow the attacker to access or perform actions on any resources that the managed identity is authorized to reach. The attacker does not gain broader tenant‑level or administrator permissions; only those tied to the compromised managed identity. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user would have be enticed to open a malicious file in vscode. Users should never open anything that they do not know or trust to be safe.
<a href="https://www.linkedin.com/in/luz-elad/">Elad Luz</a> with <a href="https://www.oasis.security/">Oasis Security</a>