PatchSiren cyber security CVE debrief

CVE-2026-10789 Autodesk CVE debrief

CVE-2026-10789 is a critical vulnerability in Autodesk Fusion Desktop's MCP extension. A maliciously crafted webpage can trigger this vulnerability, potentially allowing arbitrary code execution with the privileges of the current user. The vulnerability has a CVSS score of 9.6 and is considered critical. Autodesk has released a security advisory (ADSK-SA-2026-0008) and patches to address this issue. Users of Autodesk Fusion Desktop should review their installations and apply the necessary updates.

Vendor: Autodesk
Product: Fusion
CVSS: CRITICAL 9.6
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-22
Original CVE updated: 2026-06-24
Advisory published: 2026-06-22
Advisory updated: 2026-06-24

Who should care

Users of Autodesk Fusion Desktop, particularly those with the MCP extension enabled, should be aware of this critical vulnerability. IT administrators and security teams responsible for managing software updates and vulnerabilities within their organizations should prioritize patching affected systems. Additionally, developers and users who interact with web content while running Autodesk Fusion Desktop should exercise caution when visiting untrusted websites.

Technical summary

The vulnerability exists in the MCP extension of Autodesk Fusion Desktop. When a user with the MCP extension enabled visits a maliciously crafted webpage, it can trigger the vulnerability. Successful exploitation could allow arbitrary code execution with the privileges of the current user. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H, indicating a high impact on confidentiality, integrity, and availability. The vulnerability is classified under CWE-94, 'Code Injection'.

Defensive priority

This vulnerability has a high defensive priority due to its critical CVSS score of 9.6 and the potential for arbitrary code execution. Immediate action is recommended to patch affected systems and mitigate the risk of exploitation.

Recommended defensive actions

Review and apply the patches provided by Autodesk (ADSK-SA-2026-0008) to the MCP extension of Fusion Desktop.
Ensure that the MCP extension is only enabled when necessary and consider disabling it if not required.
Implement web filtering and monitoring to detect and block malicious web content.
Educate users about the risks of visiting untrusted websites and the importance of keeping software up-to-date.
Conduct regular vulnerability assessments and inventory checks to identify and address potential exposures.

Evidence notes

The CVE-2026-10789 record was published on June 22, 2026, and last modified on June 24, 2026. The vulnerability is analyzed and has references to Autodesk's security advisory and product download links. The CPE criteria indicate that versions up to 2703.1.20 are vulnerable.

Official resources

CVE-2026-10789 CVE record
CVE.org
CVE-2026-10789 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected] - Product
Source reference
[email protected] - Product
Mitigation or vendor reference
[email protected] - Vendor Advisory, Patch

This article is AI-assisted and based on the supplied source corpus.