What happened

CVE-2026-30615 documents a Windsurf-specific prompt-injection vulnerability where exploitation requires zero user interaction. The agent processes attacker-controlled content as part of its normal flow and executes arbitrary commands.

This is the most severe variant in a class of MCP-based prompt-injection bugs affecting Cursor, VS Code, Windsurf, Claude Code, and Gemini-CLI — Windsurf is the only one where the user doesn't have to click anything.

Impact

Full host compromise via the agent's tool surface (shell, file system, network).