CVE-2026-12856 Overview
CVE-2026-12856 is an argument injection flaw [CWE-88] in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content rendered in JavaDoc hover popups. A malicious Java file can embed hidden VS Code command links inside JavaDoc comments. When a developer opens the file and clicks a crafted link in the hover popup, arbitrary VS Code commands execute in the current workspace. In a trusted workspace, this behavior leads to full system compromise via developer tooling.
Critical Impact
Attackers can achieve arbitrary command execution and full system compromise on developer workstations that open a malicious Java project in Visual Studio Code with the vscode-java extension.
Affected Products
- Red Hat vscode-java extension (Language Support for Java by Red Hat)
- Visual Studio Code installations using the vscode-java extension
- Downstream distributions bundling the Red Hat Java language server
Discovery Timeline
- 2026-06-29 - CVE-2026-12856 published to the National Vulnerability Database
- 2026-06-30 - Last updated in NVD database
Technical Details for CVE-2026-12856
Vulnerability Analysis
The vscode-java extension renders JavaDoc comments as Markdown inside hover popups. VS Code Markdown supports command: URIs that invoke registered extension and editor commands. The extension does not sanitize or restrict the Markdown content extracted from JavaDoc, so any hyperlink written in a comment is passed through to the Markdown renderer. Attackers craft a Java source file whose JavaDoc contains a link targeting a sensitive command, such as workbench.action.terminal.sendSequence or workbench.action.tasks.runTask. When the developer hovers over the symbol and clicks the link, VS Code executes the referenced command with attacker-controlled arguments. This maps to argument injection under [CWE-88].
Root Cause
The root cause is improper neutralization of command-carrying Markdown in JavaDoc content. The extension treats JavaDoc as trusted authored documentation and passes it to a Markdown renderer that permits command: URIs. There is no allowlist restricting which commands the hover can invoke, and there is no confirmation prompt before dispatch.
Attack Vector
The attack requires user interaction. An attacker publishes or delivers a Java project, for example through a public repository, a pull request, or a shared sample. The developer opens the project in Visual Studio Code and marks the workspace as trusted, which is common for Java development because language server features require it. Hovering over an attacker-controlled class or method displays the poisoned JavaDoc. A single click on the link inside the hover popup triggers the embedded VS Code command, leading to arbitrary code execution in the developer's context.
No verified proof-of-concept code is published. See the GitHub Security Advisory and the Red Hat CVE Advisory for vendor technical details.
Detection Methods for CVE-2026-12856
Indicators of Compromise
- Java source files whose JavaDoc comments contain command: URIs or unusual Markdown hyperlinks referencing VS Code commands such as workbench.action.* or workbench.action.terminal.sendSequence.
- Unexpected child processes spawned by Code.exe, code, or the Java language server shortly after a developer opens a new repository.
- New or modified tasks.json, launch.json, or shell startup files created immediately after opening a Java project.
Detection Strategies
- Scan Java repositories for JavaDoc comments containing command: links or Markdown that references VS Code command identifiers.
- Alert on the vscode-java extension host process launching shells, PowerShell, cmd.exe, or scripting interpreters without an associated debug or build task.
- Correlate VS Code workspace trust events with subsequent process creation to identify commands executed via hover interaction.
Monitoring Recommendations
- Enable endpoint process telemetry on developer workstations and monitor descendants of Visual Studio Code processes.
- Log outbound network connections initiated by VS Code helper processes immediately after opening cloned repositories.
- Track installed extension versions across the developer fleet and flag hosts still running vulnerable vscode-java builds.
How to Mitigate CVE-2026-12856
Immediate Actions Required
- Update the vscode-java extension to the fixed release identified in the GitHub Security Advisory GHSA-7qv8-6qrw-3crv.
- Do not mark unfamiliar Java repositories as trusted workspaces in VS Code until the extension is patched.
- Review recently opened third-party Java projects for suspicious JavaDoc content or unexpected local changes.
Patch Information
Red Hat and the redhat-developer/vscode-java maintainers have published a fix. Refer to the Red Hat CVE Advisory, the Red Hat Bug Report, and the Red Hat CSAF VEX Document for fixed version identifiers and distribution status.
Workarounds
- Open untrusted Java repositories in VS Code Restricted Mode, which disables extension features that dispatch commands from Markdown.
- Disable or uninstall the vscode-java extension when reviewing untrusted code until patched builds are deployed.
- Avoid clicking hyperlinks inside hover popups on unfamiliar codebases and inspect JavaDoc as raw text when in doubt.
# Update the Red Hat Java extension from the VS Code CLI
code --install-extension redhat.java --force
# Verify the installed version
code --list-extensions --show-versions | grep redhat.java
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

