Executive Summary

The vulnerability CVE-2026-45555 involves arbitrary code execution in the RoslynCodeLens.Mcp NuGet package due to improper handling of Roslyn Analyzer execution.

Specifically, the get_diagnostics tool loads and executes all DiagnosticAnalyzer assemblies referenced in a project without any allowlist, signature checks, or user confirmation. Since includeAnalyzers defaults to true, no explicit opt-in is required.

An attacker can exploit this by placing a malicious .csproj file referencing an attacker-controlled DLL in a location that the victim opens with the MCP server. This leads to arbitrary code execution within the server process with the server's OS privileges.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows arbitrary code execution with the server's OS privileges, potentially leading to full host compromise including read/write filesystem access, credential exfiltration, and persistence installation.

Such impacts can result in unauthorized access to sensitive data, which may violate compliance requirements under standards like GDPR and HIPAA that mandate protection of personal and health information.

Therefore, exploitation of this vulnerability could lead to non-compliance with these regulations due to potential data breaches and insufficient control over code execution.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts because an attacker who can supply a malicious .sln or .csproj file that the victim opens with the MCP server can execute arbitrary native code with the privileges of the dotnet process hosting the MCP server.

• Full host compromise
• Read and write access to the filesystem
• Credential exfiltration
• Installation of persistence mechanisms

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by identifying if the Roslyn CodeLens MCP Server is running a version between 0.0.9 and 1.17.0 that uses the get_diagnostics tool with includeAnalyzers set to true (the default). Detection involves checking for the presence of projects (.csproj or .sln files) that reference external or untrusted DiagnosticAnalyzer DLLs which could be malicious.

Since the vulnerability arises from loading and executing all DiagnosticAnalyzer assemblies without allowlist or signature checks, you can look for suspicious .csproj files referencing unknown or attacker-controlled DLLs in locations accessed by the MCP server.

Suggested commands to detect potential exploitation or presence of malicious analyzers include:

• Search for .csproj files referencing external DLLs: grep -r '<Reference Include=".*\.dll"' /path/to/projects
• Check running MCP server version: dotnet --list-runtimes or check package versions in your environment
• Monitor process activity for unexpected DLL loads or code execution within the MCP server process using system monitoring tools like Process Monitor (Windows) or lsof/strace (Linux).

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading the Roslyn CodeLens MCP Server to version 1.17.0 or later, where the vulnerability is fixed.

If upgrading is not immediately possible, configure the get_diagnostics tool to set includeAnalyzers to false to prevent automatic loading and execution of DiagnosticAnalyzer assemblies.

Implement an allowlist for analyzers to restrict which DiagnosticAnalyzer DLLs can be loaded.

Run analyzers in a sandboxed subprocess to limit the impact of any malicious code execution.

Enable or enforce user confirmation prompts before loading new analyzer DLL paths to prevent silent execution of untrusted code.

Additionally, review and restrict access to project files (.csproj, .sln) to prevent attackers from placing malicious references.

Useful 0 Not Useful 0