Command Injection in vscode-java (CVE-2026-12856, CVSS 8.8): A Malicious Java File Can Take Over Your Machine β Update to 1.55.0
Language Support for Java by Red Hat, a popular VS Code extension, has a flaw (CVE-2026-12856, CVSS 8.8): opening a malicious Java file and clicking a JavaDoc hover link can take over your machine. Update to 1.55.0.
Table of contents
Language Support for Java by Red Hat, a popular VS Code extension, has a flaw (CVE-2026-12856, CVSS 8.8): opening a malicious Java file and clicking a JavaDoc hover link can take over your machine. Update to 1.55.0.
A serious vulnerability has been found in "Language Support for Java by Red Hat," a widely used extension for writing Java in Visual Studio Code (VS Code). If you open maliciously crafted Java code and click a link inside the documentation popup that appears, your machine can be taken over (arbitrary code execution). The identifier is CVE-2026-12856, with a severity of CVSS 8.8 out of 10. Red Hat published the details on June 29, 2026, and the issue is fixed in extension version 1.55.0.
This extension adds Java features to VS Code β code completion, error reporting, navigation, and more β and is a staple for Java developers with a very large user base. The hole was in how the popup is built when you hover over the documentation comments (JavaDoc) written in source code. The scary part, easy to overlook, is that simply "reading" or "browsing" code can lead to harm.
| Item | Details |
|---|---|
| CVE | CVE-2026-12856 |
| Target | Language Support for Java by Red Hat (VS Code extension / vscode-java) |
| Type | Argument injection (hidden command in a documentation popup) |
| What happens | Arbitrary VS Code command execution β machine takeover |
| Severity (CVSS) | 8.8 (NVD / CVSS v3.1) |
| Affected / Fixed | before 1.55.0 / 1.55.0 |
*The enterprise development environment "Red Hat OpenShift Dev Spaces 3" is also affected because it bundles this extension (Red Hat security information).
Who is at risk, and what is the damage
This hole can be exploited by an attacker who can get a developer to open booby-trapped Java code. There is no shortage of moments when developers open someone else's code in VS Code: a handy-looking sample or library posted in a public repository, a job application "coding challenge," a verification project attached to a technical article, a fix proposed in a pull request. The attacker just plants the trap there β no special login or privileges required.
Here is the trap. Inside a documentation comment (JavaDoc) in the code, the attacker embeds a "hidden link that runs a command in VS Code," disguised as an ordinary reference link. When the developer hovers over that code, a documentation popup appears, and the moment they carelessly click the displayed link, the attacker's chosen command runs. Depending on the command, it can be chained all the way to running a program fetched from outside.
The essence of the damage is that the developer's own machine gets taken over. A development machine concentrates assets that reach the heart of an organization: credentials for internal systems, cloud keys, unreleased source code, and tokens for various services. Compromise one and it can spread into other systems from there, or even contaminate the products you ship (a supply-chain attack). Because the attack passes through the "foundation" of a development tool's extension, it underscores the need to review the security of the software you depend on, all at once. Our OSS supply-chain scanner also covers the importance of inspecting these "weaknesses in foundational software." The pattern of a developer's machine being seized just by opening malicious code is the same family as the flaws in the code editor "Zed" (CVE-2026-44461 and others).
What this extension is, and whether you are affected
"Language Support for Java by Red Hat" is the extension that adds core Java development features to VS Code. Its identifier is redhat.java, and it is commonly known among developers as vscode-java. It provides completion, instant error display, go-to-definition, refactoring, and more, and is included in the "Extension Pack for Java" that many install in one shot. If you write Java, there is a good chance you have it without realizing.
To check whether you are affected, look for "Language Support for Java(TM) by Red Hat" in the VS Code extensions list and see whether the version is older than 1.55.0. People who installed the Java extension pack, and organizations using the enterprise "Red Hat OpenShift Dev Spaces 3," are also affected. Conversely, if you do not write Java and do not have this extension, you are not subject to this particular vulnerability.
How it leads to takeover
VS Code has a special mechanism (links starting with command:) that invokes editor features (commands) when a link is clicked. This is meant for trusted extensions to call their own features, and it should never appear in text coming from outside. But when vscode-java formatted JavaDoc (documentation comments) into a tidy popup, it treated all of that text (Markdown) as trusted and kept these command links live.
In other words, if an attacker plants a crafted command link in a Java comment, it gets displayed as part of the legitimate documentation popup. When the developer clicks the link, the attacker's intended VS Code command runs, and from there it can branch into things like executing an external program. The classification is "argument injection" (CWE-88), exploiting insufficient validation of the arguments passed to a command. The fixed 1.55.0 was changed to strip (sanitize) command links from hovered JavaDoc (the release note "Sanitize existing command links from hover Javadocs"). Details are summarized in the GitHub Security Advisory (GHSA-7qv8-6qrw-3crv) and Red Hat's bug report.
"Trusted workspaces" are the key
According to Red Hat, the attack succeeds in a "trusted workspace." VS Code has a safety feature called "Workspace Trust" that asks whether to trust a folder you open; if you do not trust it, it opens in "Restricted Mode," which holds back things like automatic code execution. The command execution here is also suppressed in Restricted Mode.
The problem is that many developers reflexively click "Trust" on the "Do you trust the authors of the files in this folder?" prompt. If you immediately trust a freshly cloned repository from someone else, the trap works. Updating to the fixed version is the top priority, but while you cannot update, a practical self-defense is to avoid casually trusting unfamiliar code and to browse it in Restricted Mode.
What to do now
The top priority is updating the extension. In the VS Code extensions view (the square icon on the side), open "Language Support for Java(TM) by Red Hat" and confirm the version is 1.55.0 or later. Auto-update will raise it over time, but update manually to be sure. If you use the Java extension pack, this extension inside it is the target. Organizations providing "Red Hat OpenShift Dev Spaces" should apply updates per Red Hat's guidance.
If you cannot update right away, the interim defense is to not open code of unknown origin with "Trust." Review received projects in Restricted Mode first, and avoid carelessly clicking links shown in JavaDoc documentation popups, to dodge the precondition for harm. If you distribute VS Code to many developers, inspect extension versions and update outdated machines first.
Summary
CVE-2026-12856 is an argument injection flaw in "Language Support for Java by Red Hat," the Java extension for VS Code. By planting a command link in the JavaDoc of malicious Java code, an attacker can run an arbitrary VS Code command β and reach machine takeover β when a developer clicks the link in a documentation popup. The fixed 1.55.0 is already out, so applying the update is the key step.
Opening other people's code is part of a developer's daily routine, and editors and extensions sit at that entrance. That is exactly why this is a good moment to both update your development tools and revisit the habit of not casually trusting unfamiliar code.
FAQ
I write Java in VS Code β am I necessarily at risk?
Harm occurs when you open malicious code, "trust" that workspace, and click a link inside the documentation popup. If you only handle your own trusted code, it is not an immediate danger β but since you do open others' code at times, we strongly recommend updating the extension to 1.55.0 or later.
How do I check my version?
In the VS Code extensions view, open "Language Support for Java(TM) by Red Hat" and the version appears near the name. If it is older than 1.55.0, you are affected β update it. If it came via the Java extension pack, the same extension is the target.
I can't update right away β what can I do now?
Do not open projects of unknown origin with "Trust"; review them in VS Code's Restricted Mode. Also, avoid carelessly clicking links shown in JavaDoc documentation popups to avoid the precondition for harm.
Is it already being exploited?
As of this article, we have not confirmed any public report of real-world exploitation (such as listing in the U.S. CISA "Known Exploited Vulnerabilities" catalog). But the technique is easy to understand and the severity is high, so updating early β before exploitation begins β is important.
Update history
- βΈJune 30, 2026: First published (based on the NVD release of June 29, the fixed version 1.55.0 published June 25, and GHSA-7qv8-6qrw-3crv).
References
Makoto Horikawa
Backend Engineer / AWS / Django