eastbaycyber

CVE-2026-10789: Autodesk Fusion Desktop MCP Extension Risk

CVE explainers 10 min read
SR
Security Research Desk Expert reviewed
Threat intelligence · Human-verified · Updated 2026-06-22
▲ Escalation ViewOne CVE, briefed at three altitudes — skim the Brief, weigh the Impact, or work the Runbook. The way a SOC actually reads it.
CISOBrief · 30-second brief
Field Value
CVE ID CVE-2026-10789
CVSS score 9.6 (Critical)
Attack vector Web-based user interaction
Authentication required Unknown
Patch status Vendor advisory exists, exact fixed version not confirmed

TL;DR - CVE-2026-10789 is a critical Autodesk Fusion Desktop flaw in the MCP extension. - Risk is triggered when a user visits a malicious webpage while Fusion Desktop is running with MCP enabled. - Treat as high priority even though public exploitation and fixed versions are not yet confirmed.

What is CVE-2026-10789?

CVE-2026-10789 is a critical vulnerability affecting Autodesk Fusion Desktop, specifically its MCP extension. According to the NVD description, a maliciously crafted webpage can trigger the issue when visited by a user who has Fusion Desktop running with the MCP extension enabled. If exploitation succeeds, arbitrary code may execute with the privileges of the current user.

That combination matters operationally because it points to a browser-to-local-application attack path rather than a traditional server-side compromise. In practical terms, a user may only need to browse to hostile content while the Autodesk application is active for the attacker to gain code execution in the user context. The available public description does not disclose the precise root cause, so defenders should avoid assuming this is only a browser problem or only an Autodesk plugin problem. The safer assumption is that the application-to-web interaction surface is exposed and should be reduced until verified patched.

The public description is also explicit about two important preconditions: Fusion Desktop must be running, and the MCP extension must be enabled. That means not every Autodesk endpoint is equally exposed at all times. Systems where the product is installed but not in use, or where MCP is disabled, are likely lower risk than design workstations actively using the affected component.

AnalystImpact · assess the risk

Quick Impact Assessment for Defenders

For security teams, this is best categorized as a client-side code-execution issue with user interaction. It is not described as a wormable network service bug, but the severity remains high because the trigger condition, visiting a webpage, is common and easy to socially engineer. Engineering teams, contractors, or CAD users who regularly browse supplier portals, download models, or access community content may be realistic targets.

The payload runs with the privileges of the current user. That does not automatically imply full administrative control, but on many creative or engineering workstations, users have broad local permissions, access to sensitive IP, and stored credentials. Even without admin rights, successful exploitation could still lead to data theft, session hijacking, persistence in the user profile, lateral movement via stolen tokens, or abuse of trusted development and design workflows.

Because the precise vulnerability class is not publicly described in the source material available here, you should assume that endpoint telemetry, browser-to-process relationships, and local inter-process communication are the best places to look for evidence. It would be premature to claim command injection, deserialization, or origin-validation failure without Autodesk’s full advisory text.

Affected Products and Versions

The confirmed affected product is Autodesk Fusion Desktop, and the affected component is the MCP extension. The NVD entry clearly ties the vulnerability to that extension, not to Autodesk’s entire portfolio. That helps narrow triage: focus first on workstations where Fusion Desktop is installed and where MCP is enabled in active workflows.

However, the exact affected version ranges are not available from the accessible source text provided. The vendor advisory referenced by NVD is adsk-sa-2026-0008, but its full contents were not retrievable in the research context because the advisory page returned HTTP 403. As a result, the following facts are unknown from currently accessible primary-source text:

Version detail Status
Affected version range Unknown
Fixed version number Unknown
Patched build number Unknown
Whether auto-update covers MCP separately Unknown

Because the user asked for specific affected version ranges and fixed version numbers, the evidence-based answer is that they are not currently verifiable from the available source set. Defenders should not fill that gap with assumptions. In the absence of vendor-confirmed version data, treat all Autodesk Fusion Desktop installations with MCP enabled as potentially affected until Autodesk advisory adsk-sa-2026-0008 is reviewed directly through a trusted channel.

CVSS and Severity Interpretation

NVD assigns CVE-2026-10789 a CVSS base score of 9.6 and rates it Critical. That score is consistent with a vulnerability that can lead to arbitrary code execution and that may be triggered through common user behavior. A score at this level should move the issue into the same operational queue as actively exploitable endpoint RCE-class flaws, even if exploitation in the wild is not yet confirmed.

The full CVSS vector string was not available in the retrieved NVD output, so it would be incorrect to infer exact values for attack complexity, privileges required, or user interaction beyond what the description states. We do know the attack involves a malicious webpage and that the user must visit it while Fusion Desktop is running with MCP enabled. We do not have source-backed data confirming whether the vulnerable component requires prior authentication, whether the MCP extension exposes a local listener, or how the browser-mediated trigger is technically delivered.

From a prioritization standpoint, the practical takeaway is straightforward: a critical score plus a common lure mechanism plus a desktop application in engineering environments equals high remediation urgency. Even without confirmed exploitation, these conditions are attractive to attackers because the target population often has access to valuable intellectual property.

Exploitation Status and PoC Availability

At the time of writing, there is no CISA KEV listing for CVE-2026-10789. That means there is no CISA-confirmed public evidence of exploitation in the wild based on the Known Exploited Vulnerabilities catalog. This should be stated carefully: absence from KEV is not proof of safety. It only means there is no KEV entry as of 2026-06-22.

There is also no confirmed public proof of concept in the retrieved sources. Public repositories related to Autodesk Fusion MCP surfaced in contextual searching, but those should not be treated as exploit code for this CVE. They indicate that MCP-related functionality exists in public ecosystems, which is useful for understanding exposure, but they are not evidence of active weaponization.

So the evidence-backed status is:

Question Current answer
Exploitation confirmed in the wild? No confirmed evidence from CISA KEV or retrieved sources
Public PoC exists? None confirmed from retrieved sources
Should defenders wait for confirmation before acting? No

In the absence of confirmed exploitation data, defenders should assume the vulnerability is likely to attract rapid scrutiny because it combines high severity with a web-triggered pathway. Organizations with Fusion Desktop deployed broadly should patch or isolate before public exploit maturity improves.

ResponderRunbook · act now

Detection and Hunting Guidance

Detection will be challenging until Autodesk or the research community publishes deeper technical indicators. Still, the available description gives defenders a useful hypothesis: look for suspicious process execution or local IPC activity that originates from browser activity while Fusion Desktop is running with MCP enabled.

Start with endpoint telemetry. Hunt for unusual child processes spawned by Fusion Desktop, especially scripting engines, shell interpreters, or installers. Also review browser-to-Fusion timing correlations. If a user visits an untrusted webpage and Fusion shortly after launches a subprocess, opens a loopback connection, or touches unexpected user-profile paths, that deserves investigation.

A second angle is network and local communications. Because the vulnerability is triggered by a webpage and affects a desktop extension, defenders should inspect loopback traffic, localhost HTTP requests, WebSocket activity, or custom localhost bindings associated with Fusion Desktop. This is not proof that the product uses a local HTTP service, but it is a reasonable place to look when browser content appears able to influence a local application.

Technical Notes

Example Windows process hunting logic in Microsoft Defender XDR or similar telemetry:

DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("Fusion360.exe", "Fusion.exe")
| where FileName in~ ("cmd.exe","powershell.exe","wscript.exe","cscript.exe","mshta.exe","rundll32.exe","regsvr32.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine, InitiatingProcessCommandLine, AccountName
| order by Timestamp desc

Example suspicious loopback or local-service hunting query:

DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("Fusion360.exe", "Fusion.exe", "chrome.exe", "msedge.exe", "firefox.exe")
| where RemoteIP in ("127.0.0.1", "::1")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessCommandLine
| order by Timestamp desc

Example Sigma-style process pattern to adapt:

title: Fusion Desktop spawning suspicious child processes
status: experimental
logsource:
  product: windows
  category: process_creation
detection:
  parent:
    ParentImage|endswith:
      - '\Fusion360.exe'
      - '\Fusion.exe'
  child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\mshta.exe'
      - '\wscript.exe'
      - '\cscript.exe'
      - '\rundll32.exe'
  condition: parent and child
level: high

Concrete log pattern to baseline and alert on:

ParentImage=C:\Program Files\Autodesk\*\Fusion*.exe
Image IN (cmd.exe, powershell.exe, mshta.exe, rundll32.exe, wscript.exe)
CommandLine contains suspicious download, script, or encoded content indicators

If you do not have rich EDR telemetry, at minimum collect Windows Security 4688 process-creation events or Sysmon Event ID 1 for Fusion-related parent-child chains. Pair that with browser history, proxy logs, and user reports of suspicious websites visited during design sessions.

Mitigation and Patching

The most important next step is to obtain and review Autodesk advisory adsk-sa-2026-0008 directly through a trusted browser session or vendor support channel. That advisory is the authoritative source for exact affected version ranges and the fixed version number. Because those values were not accessible from the retrieved source set, any specific version claim here would be speculative and should be avoided.

Until you verify patch status, reduce exposure operationally. The best temporary control is to disable the MCP extension anywhere it is not required for business workflows. If disabling the extension is not feasible, enforce stricter browsing separation for users running Fusion Desktop: use a separate standard-user profile, isolate browsing to managed allowlisted domains, or require users to close Fusion Desktop before visiting untrusted websites and community content.

If your environment supports application control, consider blocking Fusion Desktop from spawning script interpreters and other high-risk child processes. That will not necessarily stop all exploit paths, but it can reduce post-exploitation utility and provide high-signal alerts if an attack is attempted.

Technical Notes

Because the exact vendor patch command and fixed build are not available from accessible primary-source text, defenders should use a two-track mitigation plan: disable the risky component now, then upgrade once Autodesk’s advisory confirms the target version.

If Fusion Desktop is deployed through enterprise package management, use your standard inventory workflow to identify installed versions first:

Get-ItemProperty `
  'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*',
  'HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*' |
Where-Object { $_.DisplayName -match 'Autodesk Fusion|Fusion' } |
Select-Object DisplayName, DisplayVersion, Publisher

Example endpoint containment workflow if MCP can be disabled administratively or by configuration management:

# Example placeholder workflow only: verify exact extension/config path in your environment
Stop-Process -Name "Fusion360" -Force -ErrorAction SilentlyContinue
# Disable or remove MCP-related startup/config item via your endpoint management tooling

Example package upgrade pattern for managed Windows fleets using Winget, if your environment already distributes Fusion that way and Autodesk publishes the package there:

winget upgrade --all --include-unknown
winget list Autodesk

If Autodesk does not distribute the patched build through your package channel, do not improvise. Pull the installer or update instructions from Autodesk’s trusted advisory and push it through SCCM, Intune, Jamf, or your software deployment platform. In the absence of confirmed patch details, document systems as “potentially vulnerable” rather than “remediated.”

Operational Response Checklist

Security and IT teams should treat CVE-2026-10789 as a high-priority desktop exposure in engineering environments. Begin by identifying where Autodesk Fusion Desktop is installed, then determine whether the MCP extension is enabled and actively used. If you cannot quickly answer the second question, assume risk is present on systems belonging to design and CAD users.

Next, coordinate with desktop engineering and application owners. The immediate decision is whether the MCP extension can be disabled temporarily without disrupting production design work. If not, implement compensating controls such as browser isolation, application control, and stronger EDR monitoring around Fusion Desktop process behavior.

Finally, establish a validation plan once Autodesk advisory details are available. That should include version verification, successful deployment tracking, and post-patch monitoring to confirm child-process and loopback anomalies return to baseline. Because the available public details are limited, disciplined asset inventory and telemetry review are more valuable here than speculative reverse engineering.

References

Source URL
NVD CVE record https://nvd.nist.gov/vuln/detail/CVE-2026-10789
CISA KEV catalog https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Autodesk advisory reference https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0008
Autodesk advisory index https://www.autodesk.com/trust/security-advisories
MCP-related public repo context https://github.com/frankhommers/autodesk-fusion-mcp
MCP-related public repo context https://github.com/KevinZhao-07/Fusion-Mcp-Server

For more information on security vulnerabilities, you can check our articles on what is privilege escalation and what is a buffer overflow.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-06-22

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.