{"id":"CVE-2026-48989","summary":"Windows-MCP: HTTP transports expose unauthenticated PowerShell control with wildcard CORS","details":"Windows-MCP is an open-source project that integrates AI agents with Windows. In versions prior to 0.7.5, certain HTTP modes exposed the MCP control plane without authentication while enabling wildcard CORS (allow_origins=*, allow_methods=*, allow_headers=*). Because the same server also exposed a PowerShell tool that executes caller-controlled commands as the Windows user running Windows-MCP, attackers could reach the control plane from arbitrary origins or non-browser clients and achieve arbitrary PowerShell execution. This issue was fixed in version 0.7.5.","aliases":["GHSA-vrxg-gm77-7q5g","PYSEC-2026-3425"],"modified":"2026-07-13T16:43:34.100513962Z","published":"2026-06-17T21:02:15.047Z","database_specific":{"cwe_ids":["CWE-306"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48989.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/CursorTouch/Windows-MCP/releases/tag/v0.7.5"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48989.json"},{"type":"ADVISORY","url":"https://github.com/CursorTouch/Windows-MCP/security/advisories/GHSA-vrxg-gm77-7q5g"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-48989"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cursortouch/windows-mcp","events":[{"introduced":"0"},{"fixed":"470b2991b3eb9873cc3841db70a5685156c049c5"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"0.7.5"}],"source":["AFFECTED_FIELD","REFERENCES"]}}],"versions":["v0.7.4","v0.7.1","v0.7.0","v0.6.9","v0.6.2","v0.6.0","v0.5.8","v0.5.4","v0.3","v0.2","v0.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48989.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"}]}