CVE-2026-47282: GitHub Copilot and Visual Studio Code Information Disclosure Vulnerability

Overview

Severity
Medium (CVSS 6.5)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
Category
Information Disclosure
Exploit Status
Not Exploited
Exploitation Likelihood
Less Likely
Patch Tuesday
2026-Jul
Released
2026-07-14

Description

Insufficiently protected credentials in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to disclose information over a network.

FAQ

What type of information could be disclosed by this vulnerability? This vulnerability could expose a sign-in access token for a user’s work account. If disclosed, that token could allow access to data and services that the user is authorized to use, potentially including sensitive organizational information. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user would have be enticed to open a malicious file in vscode. Users should never open anything that they do not know or trust to be safe.

Affected Products (1)

Developer Tools

  • Visual Studio Code

Security Updates (1)

Acknowledgments

Anonymous

Revision History

  • 2026-07-14: Information published.