Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-12856

CVE-2026-12856: VS Code Java Extension RCE Vulnerability

CVE-2026-12856 is a remote code execution flaw in the vscode-java extension for Visual Studio Code that allows attackers to execute arbitrary commands through malicious JavaDoc hovers. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-12856 Overview

CVE-2026-12856 is an argument injection flaw [CWE-88] in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content rendered in JavaDoc hover popups. A malicious Java file can embed hidden VS Code command links inside JavaDoc comments. When a developer opens the file and clicks a crafted link in the hover popup, arbitrary VS Code commands execute in the current workspace. In a trusted workspace, this behavior leads to full system compromise via developer tooling.

Critical Impact

Attackers can achieve arbitrary command execution and full system compromise on developer workstations that open a malicious Java project in Visual Studio Code with the vscode-java extension.

Affected Products

  • Red Hat vscode-java extension (Language Support for Java by Red Hat)
  • Visual Studio Code installations using the vscode-java extension
  • Downstream distributions bundling the Red Hat Java language server

Discovery Timeline

  • 2026-06-29 - CVE-2026-12856 published to the National Vulnerability Database
  • 2026-06-30 - Last updated in NVD database

Technical Details for CVE-2026-12856

Vulnerability Analysis

The vscode-java extension renders JavaDoc comments as Markdown inside hover popups. VS Code Markdown supports command: URIs that invoke registered extension and editor commands. The extension does not sanitize or restrict the Markdown content extracted from JavaDoc, so any hyperlink written in a comment is passed through to the Markdown renderer. Attackers craft a Java source file whose JavaDoc contains a link targeting a sensitive command, such as workbench.action.terminal.sendSequence or workbench.action.tasks.runTask. When the developer hovers over the symbol and clicks the link, VS Code executes the referenced command with attacker-controlled arguments. This maps to argument injection under [CWE-88].

Root Cause

The root cause is improper neutralization of command-carrying Markdown in JavaDoc content. The extension treats JavaDoc as trusted authored documentation and passes it to a Markdown renderer that permits command: URIs. There is no allowlist restricting which commands the hover can invoke, and there is no confirmation prompt before dispatch.

Attack Vector

The attack requires user interaction. An attacker publishes or delivers a Java project, for example through a public repository, a pull request, or a shared sample. The developer opens the project in Visual Studio Code and marks the workspace as trusted, which is common for Java development because language server features require it. Hovering over an attacker-controlled class or method displays the poisoned JavaDoc. A single click on the link inside the hover popup triggers the embedded VS Code command, leading to arbitrary code execution in the developer's context.

No verified proof-of-concept code is published. See the GitHub Security Advisory and the Red Hat CVE Advisory for vendor technical details.

Detection Methods for CVE-2026-12856

Indicators of Compromise

  • Java source files whose JavaDoc comments contain command: URIs or unusual Markdown hyperlinks referencing VS Code commands such as workbench.action.* or workbench.action.terminal.sendSequence.
  • Unexpected child processes spawned by Code.exe, code, or the Java language server shortly after a developer opens a new repository.
  • New or modified tasks.json, launch.json, or shell startup files created immediately after opening a Java project.

Detection Strategies

  • Scan Java repositories for JavaDoc comments containing command: links or Markdown that references VS Code command identifiers.
  • Alert on the vscode-java extension host process launching shells, PowerShell, cmd.exe, or scripting interpreters without an associated debug or build task.
  • Correlate VS Code workspace trust events with subsequent process creation to identify commands executed via hover interaction.

Monitoring Recommendations

  • Enable endpoint process telemetry on developer workstations and monitor descendants of Visual Studio Code processes.
  • Log outbound network connections initiated by VS Code helper processes immediately after opening cloned repositories.
  • Track installed extension versions across the developer fleet and flag hosts still running vulnerable vscode-java builds.

How to Mitigate CVE-2026-12856

Immediate Actions Required

  • Update the vscode-java extension to the fixed release identified in the GitHub Security Advisory GHSA-7qv8-6qrw-3crv.
  • Do not mark unfamiliar Java repositories as trusted workspaces in VS Code until the extension is patched.
  • Review recently opened third-party Java projects for suspicious JavaDoc content or unexpected local changes.

Patch Information

Red Hat and the redhat-developer/vscode-java maintainers have published a fix. Refer to the Red Hat CVE Advisory, the Red Hat Bug Report, and the Red Hat CSAF VEX Document for fixed version identifiers and distribution status.

Workarounds

  • Open untrusted Java repositories in VS Code Restricted Mode, which disables extension features that dispatch commands from Markdown.
  • Disable or uninstall the vscode-java extension when reviewing untrusted code until patched builds are deployed.
  • Avoid clicking hyperlinks inside hover popups on unfamiliar codebases and inspect JavaDoc as raw text when in doubt.
bash
# Update the Red Hat Java extension from the VS Code CLI
code --install-extension redhat.java --force

# Verify the installed version
code --list-extensions --show-versions | grep redhat.java

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.