MCP Extension Code Injection Vulnerability in Autodesk Fusion Desktop

9.6 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Description

A maliciously crafted webpage, when visited by a user with Autodesk Fusion Desktop running and the MCP extension enabled, can trigger a vulnerability in the MCP extension that could allow arbitrary code execution. A successful exploit may allow code to execute with the privileges of the current user.

AI Analysis

Code injection vulnerability in the MCP extension of Autodesk Fusion Desktop, allowing arbitrary code execution with the privileges of the current user.

Basic Information

ID CVE-2026-10789

Source autodesk

Published Jun 22, 2026 at 17:15

Affected Product

Vendor Autodesk

Product Fusion

Version 2703.1.11

Affected Versions Autodesk Fusion 2703.1.11

CWE Classification

CWE-94

AI Assessment

AI Score 9.6 / 10

AI Severity Critical

Vendor Autodesk

Product Autodesk Fusion Desktop

Version 2703.1.11

References

{
    "lastseen": "",
    "description": "A maliciously crafted webpage, when visited by a user with Autodesk Fusion Desktop running and the MCP extension enabled, can trigger a vulnerability in the MCP extension that could allow arbitrary code execution. A successful exploit may allow code to execute with the privileges of the current user.",
    "published": "2026-06-22T17:15:25.546Z",
    "modified": "2026-06-22T17:15:25.546Z",
    "type": "cve",
    "title": "MCP Extension Code Injection Vulnerability in Autodesk Fusion Desktop",
    "source": "autodesk",
    "references": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0008\nhttps://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe\nhttps://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg",
    "id": "CVE-2026-10789",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94"
    ],
    "cvelist": null,
    "sourceData": "Autodesk Fusion 2703.1.11",
    "sourceHref": "",
    "cvss": {
        "score": 9.6,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Fusion",
    "version": "2703.1.11",
    "vendor": "Autodesk",
    "ai_description": "Code injection vulnerability in the MCP extension of Autodesk Fusion Desktop, allowing arbitrary code execution with the privileges of the current user.",
    "ai_severity": "Critical",
    "ai_vendor": "Autodesk",
    "ai_product": "Autodesk Fusion Desktop",
    "ai_version": "2703.1.11",
    "ai_score": 9.6
}

MCP Extension Code Injection Vulnerability in Autodesk Fusion Desktop_CVE-2026-10789