CVE-2026-45482: Microsoft Visual Studio Code CoPilot Chat Extension Security Feature Bypass Vulnerability

Overview

Severity

High (CVSS 8.4)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Security Feature Bypass

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2026-Jun

Released

2026-06-09

Description

Improper limitation of a pathname to a restricted directory ('path traversal') in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.

FAQ

What kind of security feature could be bypassed by successfully exploiting this vulnerability? The authentication feature could be bypassed as this vulnerability allows impersonation.

Affected Products (1)

Developer Tools

• Microsoft Visual Studio Code CoPilot Chat Extension

Security Updates (1)

• Release Notes

Acknowledgments

Daniel Weglowski

Revision History

• 2026-06-09: Information published.