Windsurf Zero-Click RCE: Processing Attacker-Controlled HTML Caused Auto-Registration of Malicious MCP STDIO Server Without User Interaction (CVE-2026-30615, CVSS 8.0)

The only fully zero-click AI IDE exploit in the OX Security disclosure chain. Processing attacker-controlled HTML in Windsurf caused unauthorized MCP config modification and auto-registration of a malicious MCP STDIO server with zero user interaction. CVSS 8.0. CVE-2026-30615.

WindsurfTool execution / MCPZero-click RCE: HTML processing auto-registers malicious MCP STDIO serverDeveloper workstation / Windsurf IDE

What happened

Attacker caused Windsurf to process malicious HTML (via a web view, rendered markdown, or similar vector). The HTML caused unauthorized modification of the MCP server configuration and auto-registration of an attacker-controlled MCP STDIO server, achieving RCE without any user interaction.

Why it matters

Full RCE on developer workstations via the registered malicious STDIO MCP server. Zero user interaction required — any developer whose IDE processed attacker-controlled HTML was at risk of complete machine compromise.

Missing authorization check

MCP server registration and MCP configuration modifications must require explicit human authorization. Auto-registration triggered by content processing is a critical security boundary violation — this action should require a signed receipt regardless of how it was triggered.

Would PP block it?

MCP server registration is a consequential action that should always require a human-signed receipt. If registration required a PP receipt, the zero-click auto-registration would be blocked regardless of how the registration was triggered — HTML processing, prompt injection, or any other vector.

Incident analysis

Timeline and technical read

Timeline

2026-04-15
OX Security publishes disclosure chain including CVE-2026-30615: Windsurf zero-click MCP RCE via attacker-controlled HTML auto-registering malicious MCP STDIO server. CVSS 8.0. Only fully zero-click exploit in the chain.

Technical breakdown

Windsurf processed attacker-controlled HTML content (via web view rendering, markdown display, or similar mechanism).
The HTML contained instructions that caused Windsurf to modify its MCP server configuration.
The configuration modification triggered auto-registration of an attacker-controlled MCP STDIO server.
The STDIO server was registered and started without any user approval prompt or authorization step — fully zero-click.

Authorization boundary

Where the authorization boundary should have been

This incident is categorized as Tool execution / MCP. The relevant Permission Protocol gate is Tool-Call Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.

If enforced at: MCP server registration gate, MCP configuration modification
Still needs: Auto-registration of MCP servers without user authorization; MCP config modification from content processing
Receipt required for: MCP server registration, MCP configuration changes, STDIO server startup

PP's Tool-Call Gate would require a receipt before any MCP server is registered. Auto-registration triggered by HTML processing would not have a valid receipt and would be blocked.

Related incidents and controls

High2026-01-29

Cross-Site WebSocket Hijacking in OpenClaw Control UI Leads to Remote Code Execution

High2026-05-07

TrustFall Coding Agent Security Flaw Enables One-Click RCE

Tool-Call Gate

Start small

Put the relevant gate at this action boundary.

This incident maps to Tool-Call Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.

Replay this incident with a signer in the loop