Critical RCE in Autodesk Fusion CAD: CVE-2026-10789 (CVSS 9.6) β Update to 2703.1.20
Autodesk Fusion's desktop CAD has a critical flaw (CVSS 9.6, CVE-2026-10789). With the MCP extension enabled, simply opening a malicious web page can run attacker code on your PC, risking design-data theft and full takeover. Versions before 2703.1.20 are affected; update now.
Makoto Horikawa
Backend Engineer / AWS / Django
Autodesk Fusion's desktop CAD has a critical flaw (CVSS 9.6, CVE-2026-10789). With the MCP extension enabled, simply opening a malicious web page can run attacker code on your PC, risking design-data theft and full takeover. Versions before 2703.1.20 are affected; update now.
Autodesk Fusion, the CAD software widely used in design and manufacturing, has a high-severity flaw in its desktop edition. It is tracked as CVE-2026-10789, with a CVSS score of 9.6 ("Critical"). Autodesk's advisory (adsk-sa-2026-0008) was published on June 22, 2026.
The conditions are specific: if Autodesk Fusion Desktop is running with the "MCP extension" enabled and the user opens a maliciously crafted web page, attacker-supplied code runs on that machine, at the current user's privileges. Affected versions are 2703.1.11 up to (but not including) 2703.1.20; the fix is 2703.1.20.
| Software | Autodesk Fusion Desktop |
| CVE | CVE-2026-10789 (adsk-sa-2026-0008) |
| Severity | CVSS 9.6 (Critical) |
| Affected | 2703.1.11 β < 2703.1.20 |
| Fixed in | 2703.1.20 and later |
| Preconditions | MCP extension enabled + opening a malicious page |
| Published | June 22, 2026 |
Who is at risk, and what is the damage
The targets are designers, manufacturing engineers, and individual makers who work in Autodesk Fusion, lured to a booby-trapped web page. Links in email or social media, or fake pages slipped into search results, are all common lures. The everyday habit of keeping CAD open while looking something up in a browser is the entry point.
When someone running Fusion with the MCP extension enabled opens that trap page, the attacker can run arbitrary programs on that PC. Rather than forcing a lock, it exploits the moment the user simply opens a page. Because code runs at the user's privileges, whatever files and network that person can reach are within the attacker's grasp.
The realistic damage starts with theft of local design data. Drawings and 3D models are a company's competitive edge, and a leak leads straight to copying or data exposure. Beyond that, the compromised PC can be a foothold to spread into the internal network, or to deploy ransomware that encrypts files for extortion. That is why the update and setting review below are urgent.
One caveat: exploitation requires the "MCP extension" to be enabled. MCP (Model Context Protocol) is a relatively new way to connect AI to external tools and data, and Fusion has been adding support for it. Convenient as it is, this entry point can become an attack path β the kind of problem that warrants more care as AI-to-software integrations spread.
What is happening, technically
It is classified as CWE-94 (Improper Control of Generation of Code, i.e. code injection). A malicious web page sends crafted input to Fusion's enabled MCP extension, causing something that should be treated as data to be executed as code.
The CVSS vector is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H: over the network, low complexity, no prior privileges β but UI:R, meaning the one required action is the user opening a page. Meanwhile S:C (scope change) shows the impact reaches beyond the extension into the host machine, with high confidentiality, integrity, and availability impact. The 9.6 reflects that combination.
On the same June 22, 2026, other AI tools also saw flaws around the MCP entry point. For example, IBM's Langflow had an MCP authorization gap (CVE-2026-7664), among others. The MCP mechanism that links AI to the outside world is becoming a fresh attack surface across products.
Confirmed vs. still unknown
β Confirmed facts
? Not yet confirmed
- ?Whether it has been exploited in the wild β not on CISA KEV at the time of writing
- ?Whether a public PoC exists β no reliable public information confirmed at the time of writing
What to do now
The top priority is to update Autodesk Fusion to 2703.1.20 or later. On Windows use "Fusion Client Downloader.exe," on macOS "Fusion Client Downloader.dmg." Fusion often auto-updates, so first check that your version is 2703.1.20 or higher.
If you cannot update right away, disabling the MCP extension removes the precondition for this attack. If it is enabled but you do not use MCP integration, turn it off regardless. The basic habit of not clicking unknown links while CAD is open also helps. Organizations with many Fusion installs should inventory deployed versions and check for old builds left behind.
Summary
CVE-2026-10789 is a CVSS 9.6 flaw in the popular CAD tool Autodesk Fusion: with the MCP extension enabled, simply opening a malicious page can lead to arbitrary code execution. Affected versions are 2703.1.11β<2703.1.20, with a fix in 2703.1.20. Updating β and disabling the MCP extension if unused β are the immediate priorities.
Design data is, directly, a company's or an individual's property. As convenient AI-to-software features multiply, it is worth remembering that each new connection point can also become an entry point.