CVE-2026-30615: Windsurf MCP Prompt Injection RCE

Executive Summary

A prompt injection vulnerability in Windsurf 1.9544.26 allows unauthorized modification of the local MCP configuration and automatic registration of malicious MCP STDIO servers, leading to arbitrary command execution.

Root Cause Analysis

Analysis indicates that the vulnerability originates from insecure processing of MCP configurations. The application fails to sanitize inputs provided in JSON format, allowing command injection.

Exploit Analysis

The attack vector leverages the MCP adapter configuration logic. By injecting a malicious JSON configuration containing arbitrary command and argument values, the LiteLLM process executes these inputs on the host system.

Detection Rules

Sigma

title: Windsurf MCP Prompt Injection RCE Detection
logsource:
  category: process_creation
detection:
  selection:
    CommandLine: '*mcp*register*'
  condition: selection