Authentication Flaw in Windows-MCP Exposes Control Plane to Remote Exploitation
CVE-2026-48989

8.9HIGH

Key Information:

Vendor: Cursortouch
Status: Windows-mcp
Vendor: CVE Published:; 17 June 2026

🔔 Create Cursortouch Vulnerability Alert

What is CVE-2026-48989?

The Windows-MCP project is susceptible to an authentication bypass due to misconfigured HTTP modes that allow the MCP control plane to be accessed without proper authentication. Prior to version 0.7.5, this vulnerability enabled wildcard CORS settings, allowing arbitrary origins to interact with the control plane. This oversight, combined with a PowerShell tool that executes commands as the user running Windows-MCP, could enable attackers to remotely execute arbitrary commands within the context of the affected system. The vulnerability was resolved in version 0.7.5, which is critical for users to upgrade to in order to mitigate the risks associated with this issue.

Affected Version(s)

Windows-MCP < 0.7.5

References

https://github.com/CursorTouch/Windows-MCP/security/advis...

x_refsource_CONFIRM

https://github.com/CursorTouch/Windows-MCP/releases/tag/v...

x_refsource_MISC

CVSS V4

Score:

8.9

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2026
Vulnerability Reserved
May 26, 2026

CVE-2026-48989 Data

JSON