CVE-2026-45555 Overview
CVE-2026-45555 is an arbitrary code execution vulnerability in Roslyn CodeLens MCP Server, a Roslyn-based Model Context Protocol (MCP) server that provides semantic code intelligence for .NET codebases. The get_diagnostics MCP tool loads and executes every DiagnosticAnalyzer assembly referenced by the target solution. The server performs no allowlisting, no signature validation, and no user confirmation. Because includeAnalyzers defaults to true, exploitation requires no explicit opt-in from the victim. An attacker who places a malicious .csproj referencing an attacker-controlled DLL in a location the victim opens with the MCP server gains code execution in the server process. The flaw affects versions 0.0.9 through prior to 1.17.0 and is fixed in 1.17.0.
Critical Impact
Opening an attacker-supplied .NET solution causes the MCP server to load and execute arbitrary attacker-controlled code with the server process's OS privileges.
Affected Products
- Roslyn CodeLens MCP Server versions 0.0.9 through 1.16.x
- .NET solutions processed via the get_diagnostics MCP tool
- Host environments where the MCP server runs with user or elevated privileges
Discovery Timeline
- 2026-05-29 - CVE-2026-45555 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-45555
Vulnerability Analysis
The vulnerability falls under [CWE-94] Improper Control of Generation of Code. Roslyn analyzers are .NET assemblies that the compiler loads and executes in-process to surface diagnostics. The MCP server's get_diagnostics tool delegates to Roslyn's analyzer loading pipeline against whatever solution and project files the caller points it at. No trust boundary exists between the analyzer DLLs referenced in a project and the server process itself. As a result, any DiagnosticAnalyzer referenced by a .csproj runs with the privileges of the MCP server when diagnostics are requested.
Root Cause
The root cause is the absence of integrity controls around analyzer loading. The server does not maintain an allowlist of trusted analyzer assemblies. It does not validate Authenticode signatures or content hashes. It does not prompt the user before loading third-party code. The includeAnalyzers parameter defaults to true, removing the need for any user gesture to trigger analyzer execution.
Attack Vector
The attack requires local access through user interaction, consistent with the CVSS vector. An attacker stages a repository containing a crafted .csproj that references a malicious analyzer DLL, either bundled in the repository or pulled from an attacker-controlled NuGet feed. The victim opens the folder or solution with a client that invokes the Roslyn CodeLens MCP Server. When get_diagnostics runs, the analyzer assembly loads into the server process and its constructor or analyzer entry points execute attacker code. The code runs with the OS privileges of the user hosting the MCP server, enabling credential theft, lateral movement, or persistence on the developer workstation. See the GitHub Security Advisory GHSA-552p-8f74-6x7q for technical details.
Detection Methods for CVE-2026-45555
Indicators of Compromise
- Unexpected child processes spawned by the Roslyn CodeLens MCP Server host process (dotnet, node, or the MCP binary) shortly after a solution is opened.
- Outbound network connections originating from the MCP server process to non-developer infrastructure.
- .csproj files referencing analyzer DLLs from non-standard paths, unsigned publishers, or unfamiliar NuGet sources.
- New or modified DLLs in repository-local directories such as analyzers/, tools/, or arbitrary subfolders referenced via <Analyzer Include="..."/> elements.
Detection Strategies
- Inventory installed versions of Roslyn CodeLens MCP Server across developer endpoints and flag any version below 1.17.0.
- Monitor process trees rooted at the MCP server for execution of shells, scripting interpreters, or LOLBins after solution open events.
- Parse .csproj and Directory.Build.props files for <Analyzer> references pointing to unsigned or non-standard paths.
Monitoring Recommendations
- Enable EDR telemetry on developer workstations and alert on credential access APIs invoked from .NET host processes.
- Log MCP server startup parameters and the solution paths it loads, then correlate against repository clone events.
- Track NuGet package restore events and flag analyzer packages from unverified feeds.
How to Mitigate CVE-2026-45555
Immediate Actions Required
- Upgrade Roslyn CodeLens MCP Server to version 1.17.0 or later on every developer workstation and CI runner.
- Do not open untrusted repositories or solutions with the MCP server until the upgrade is complete.
- Audit recently opened solutions for unfamiliar <Analyzer> references and quarantine any suspicious analyzer DLLs.
Patch Information
The maintainer has released version 1.17.0, which fixes the unrestricted analyzer loading behavior. Refer to the GitHub Security Advisory GHSA-552p-8f74-6x7q for release details and remediation guidance.
Workarounds
- Pass includeAnalyzers=false when invoking the get_diagnostics tool on solutions of unknown provenance.
- Run the MCP server under a low-privilege account or inside an isolated container or VM dedicated to untrusted code review.
- Restrict NuGet sources to internal, curated feeds and require signed analyzer packages only.
- Treat repositories from external contributors as untrusted until reviewed offline without the MCP server attached.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
