CVE-2026-45555 MarcelRoozekrans CVE debrief

Who should care

Organizations and developers using Roslyn CodeLens MCP Server for .NET code intelligence, particularly those processing untrusted or third-party codebases. Security teams responsible for supply chain security and development environment hardening should prioritize this vulnerability due to its potential for complete system compromise through malicious project dependencies.

Technical summary

The vulnerability exists in the `get_diagnostics` tool implementation, which automatically loads and executes DiagnosticAnalyzer assemblies referenced by target solutions. The default `includeAnalyzers=true` configuration enables this behavior without requiring explicit user consent. The lack of assembly signature verification or allowlist mechanisms allows attackers to execute arbitrary code by supplying malicious analyzer assemblies through compromised or attacker-controlled project files.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Roslyn CodeLens MCP Server to version 1.17.0 or later to remediate this vulnerability
• Review and audit all .csproj files and solution references before opening them with the MCP server
• Consider implementing additional sandboxing or privilege reduction for the MCP server process
• Monitor for suspicious DiagnosticAnalyzer assemblies in build outputs and solution directories
• If immediate patching is not possible, restrict access to the MCP server to trusted users and validated solution files only

Evidence notes

The vulnerability description is sourced from the official CVE record and NVD entry. The affected version range (0.0.9 to 1.17.0) and fix version (1.17.0) are explicitly stated in the CVE description. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates a local attack vector requiring user interaction, with high impact on confidentiality, integrity, and availability.

Official resources