Windsurf and MCP advisories hit the IDEs your team already runs: the May 2026 small-agency playbook

Three CVE classes against AI-augmented IDEs landed inside a single fortnight of May 2026. Microsoft Security Response Center disclosed CVE-2026-25592 and CVE-2026-26030 against Semantic Kernel on 7 May 2026 (Microsoft Security Blog, When prompts become shells: RCE vulnerabilities in AI agent frameworks, 7 May 2026). OX Security published an MCP STDIO supply-chain advisory traversing every published implementation regardless of language (OX Security, MCP Supply-Chain Advisory: RCE Vulnerabilities Across the AI Ecosystem, 2026). Windsurf 1.9544.26 was disclosed with a prompt-injection-to-MCP-registration path that requires no user interaction (Practical DevSecOps, MCP Security Vulnerabilities 2026).

The enterprise treatment of the structural property is at AM-157. The agency-level treatment, for the 5-15 person services firms doing paid client work on Cursor, Windsurf, and Claude Code without an IT team, is different. The risk surface is the same. The response shape is smaller, faster, and has to fit inside a Monday-morning stand-up.

The threat path is the IDE on the engineer’s laptop

The Windsurf disclosure is the canonical agency case. An engineer renders attacker-controlled HTML in the editor. The most common path is previewing release notes, internal documentation, a design doc, a Slack message, or a webpage. The malicious instructions in the HTML cause the editor to write a new server entry into the local MCP configuration file. The next time the editor starts an MCP session, the malicious server is launched as a subprocess and runs arbitrary commands with the engineer’s privileges.

No user interaction beyond rendering the HTML. No malicious dependency. No compromised credential. The MCP configuration file is treated as editor settings, which is writable by design, and the framework does not distinguish between a user-authored edit and a model-authored one. The disclosure is patched in Windsurf 1.9544.27 and later. The structural property (that the editor’s settings file is model-authorable through a routine action) is not patched; it is mitigated only by version discipline and an allowlist.

The MCP STDIO advisory is broader. It traverses the protocol itself: every MCP client (Cursor, Windsurf, Claude Code, internal agent platforms built on the protocol) inherits the disclosure until the implementation is updated. The patch coverage required is not single-vendor.

For an agency, this means the IDE on the engineer’s laptop is in scope for every project the engineer touches. The agency’s source code, the agency’s client credentials, and the agency’s git history are inside the blast radius of a single routine action that the agency cannot police engineer-by-engineer.

The 5-step playbook, in order

The full how-to schema is in the FAQ above. The body version is shorter and prescriptive.

Step 1: inventory. Every staff machine that does paid client work. The IDE, the version, the MCP servers configured, the projects active. A shared spreadsheet is sufficient at 5-15 staff. The inventory is the agency owner’s instrument; it is not a security artifact for the client.

Step 2: pin the version. Install the patched build of every AI-IDE on every machine in the inventory. Windsurf 1.9544.27 or later. Cursor’s coordinated-disclosure release. The latest patched Claude Code. The Semantic Kernel patches from the 7 May 2026 bundle if any agent platform on staff machines depends on it. Disable auto-update. Re-enable only after the 30-day review confirms the patched build is stable in the agency’s actual workflow.

Step 3: write a one-page MCP allowlist. The servers each staff machine is permitted to run. A reasonable default for an agency that has not previously controlled this is the official Anthropic file-system MCP server with directory scope limited to the active project, the Anthropic GitHub MCP server with a project-scoped personal-access-token, and zero other servers. Any new server requires a written request to the agency owner, with a one-line justification and a source link, approved within 24 hours or rejected with a reason in writing.

Step 4: disclose the AI-IDE use to active clients in writing. A three-sentence paragraph in the standing client communication: the agency uses AI-augmented IDEs on this project; following the May 2026 MCP and Semantic Kernel CVE advisories, every machine on this project was confirmed at the patched vendor version on 17 May 2026 with auto-update disabled and the MCP-server allowlist documented at (link); the next review is scheduled for 16 June 2026. A client who has not asked will be informed; a client who later asks has the answer in their inbox already.

Step 5: schedule the 30-day review. 16 June 2026 in the agency owner’s calendar. 60-minute slot. Confirm the patched versions hold. Read the new advisories from Microsoft Security Response Center, Anthropic, Windsurf, and Cursor vendor channels. Decide whether the 30-day cadence is right.

Why this is not optional for an agency in 2026

Three reasons. The first is that the question will be asked by the next enterprise client running procurement on the agency. Enterprise procurement templates have been updated through Q2 2026 to include AI-IDE supply-chain questions, and the agency that has no answer is the agency that loses the contract. The second is that the agency’s existing professional-liability coverage is unlikely to extend to an incident traceable to an unpatched AI-IDE vulnerability without an explicit endorsement; the insurer’s first question on a claim will be whether the agency followed published vendor patch guidance, and “we did not know about the May 2026 advisories” is not a defensible answer. The third is that the small agencies who survive into 2027 as preferred AI-services providers are the ones whose disclosure discipline matches the enterprise side of the table they are sitting at. The May 2026 CVE class is the first forcing function for that discipline; there will be more.

What an enterprise reading of the same advisories adds

AM-157 is the enterprise treatment of the same CVE class. It runs the structural argument (that 2026 agent frameworks treat tool-configuration as data the model is allowed to author) and the procurement-template extension (five framework-layer attestations a CIO should mandate). For an agency, the enterprise piece is reading-the-table material: it tells you what your enterprise client is asking their vendor questionnaire to do. The agency-side playbook above is what answers that questionnaire when the agency is the vendor.

Related operator pieces

For the cost-side framing on AI-seat math (which seats to buy, when adoption rate fails the break-even), see OPS-066. For solo founders running AI tools on Mac and Windows without an IT setup, the related solo-side disclosure pattern is at OPS-054 (data-residency and jurisdiction for solo EU developers). For the contract-side companion to client AI-disclosure, see OPS-065.