CVE-2026-45555 — Roslyn CodeLens MCP Server RCE
AI relevance: The Roslyn CodeLens MCP server — used to give AI coding assistants semantic .NET code intelligence — loads and executes attacker-supplied .NET assemblies on solution open, turning a routine code-review action into arbitrary code execution on the developer's machine.
- CVE-2026-45555 is a remote code execution vulnerability in the Roslyn CodeLens MCP Server, affecting versions 0.0.9 through 1.17.0.
- The server loads .NET assemblies from the opened solution path and executes them in-process, with the server's OS-level privileges.
- An attacker can place a malicious .NET assembly in a solution directory — for instance, via a cloned repository or shared project — and trigger execution simply by having the MCP server open that solution.
- The flaw falls under CWE-94 (Improper Control of Generation of Code) — the server treats solution-directory assemblies as trusted diagnostic plugins without any integrity verification or sandboxing.
- Roslyn analyzers are designed to run in-process with the compiler; when an MCP server reuses this loading mechanism to power code-intelligence tools for AI agents, it inherits the same arbitrary-code-execution risk without the compiler's isolation boundaries.
- AI coding assistants (Claude Code, Cursor, Copilot) that connect to this MCP server for .NET code analysis become indirect attack vectors — the agent opens the project, the server loads the malicious assembly, code executes.
Why it matters
This is a recurring pattern across AI coding tooling: code-intelligence MCP servers that load language-server plugins or analyzers from untrusted project directories inherit code-execution semantics that were never designed for adversarial input. Every developer who opens an AI-assisted workspace on an untrusted repo becomes a target. The attack requires zero social engineering beyond getting the victim to analyze a project.
What to do
- Update roslyn-codelens-mcp to a patched version (≥ 1.17.1) if available; otherwise disable the server for untrusted repositories.
- Run MCP servers for code intelligence in sandboxed containers or restricted user accounts, never with developer-level credentials.
- Audit any MCP server that loads plugins, analyzers, or assemblies from project directories — treat the project tree as untrusted input.
- For teams using AI coding assistants on open-source or client-supplied code, enforce repository scanning before opening in an AI-assisted environment.