A serious security hole was recently found in Open VSX, the marketplace for extensions that popular code editors like Cursor and Windsurf use This article explores extensions open vsx. . The flaw was found in the platform's new pre-publish scanning pipeline.
The flaw, which is now known as "Open Sesame," let a bad extension skip security checks and go live on the marketplace. You didn't need any special access or insider information to do the attack. The team acted quickly and sent a working fix on February 11, 2026, just three days after getting the report. The problem was in two important files: PublishExtensionVersion Handler.java and ExtensionScanService.java.
An attacker could take advantage of this by making a batch of bad .vsix extension files and sending them all at once through the publish endpoint.
Every time there was a lot of publishing, the database connection pool would get overloaded until scanner job queuing stopped working. The fail-open condition kicked in after that, and the extension went live. People who installed new or updated extensions from the Open VSX marketplace during the time when the system was vulnerable (before the patch on February 11, 2026) should carefully check those extensions.
It is also very important to limit the number of connections to publish endpoints to stop repeated flooding from using up the connection pool. When developers make similar scanning pipelines, they should always treat failure states differently from "nothing to do" states. You should never use the same return value to show both a deliberate configuration choice and a system error.
If a scanner doesn't work, the right thing to do is to block the extension, not let it through. The patch came out on February 11 and can be downloaded from the ZeroOwl App Store, Google Play, and Microsoft's App Store. To learn more about the patch, go to ZeroOwl's App Store and App Store page.
to learn more about the patch.
