VS Code Copilot Billing Bypass Vulnerability, Unlimited Free Use of Premium Model

VS Code Copilot Billing Bypass Vulnerability: Unlimited Use of Premium Models for Free

• Copilot billing can be bypassed using a combination of subagents and agent definitions.
• Requests initiated from the free model are not charged the premium model cost.
• A single message triggered hundreds of Opus 4.5 subagents to run for over 3 hours.

Structural Flaw in Copilot’s Billing System

A critical vulnerability has been discovered in GitHub Copilot’s billing system. This issue, reported as VS Code GitHub issue #292452, stems from the combination of the subagent feature and agent definitions.^{[GitHub Issues]}

The method is simple: start a chat with the free model, define an agent that uses the premium model, and then call it with runSubagent.

Issue: Cost Calculation Applies Only to the Initial Model

The key is that request costs are calculated based only on the initial model. If you start with the free model, no cost is incurred even if the subagent uses the premium model. A single message triggered hundreds of Opus 4.5 subagents to run for over 3 hours, but only 3 credits were consumed.^{[GitHub Issues]}

This isn’t a UI bug but a design flaw in the billing architecture. The structure doesn’t attribute the subagent model cost to the parent request, which is the root cause.

Lessons in AI Tool Billing Design

This vulnerability illustrates the difficulty of billing design in the age of AI agents. Billing systems based on single model calls can become vulnerable in multi-layered call structures between agents.^{[GitHub Docs]}

Hopefully, this will be helpful for teams operating AI services with similar structures.

Frequently Asked Questions (FAQ)

Q: Does this vulnerability affect all VS Code users?

A: It can only be reproduced in Copilot subscription environments where agent definitions and subagent features are available. It does not apply to those who only use general code autocompletion. It occurs through a specific combination in Copilot Chat with agent mode enabled, and Microsoft is expected to patch it on the server side.

Q: What exactly is a subagent?

A: It’s a structure where an AI agent delegates a specific task to another agent. The main agent divides the task and assigns it to a subagent. The subagent can use a different model than the main agent, and this vulnerability exploits this point.

Q: Could this billing bypass be a legal issue?

A: It may constitute a violation of the terms of service. Most AI services prohibit billing bypasses. This case is a public report for security research purposes, but actual exploitation may result in account suspension or legal action. Responsible disclosure is important when discovering vulnerabilities.

If you found this article helpful, please subscribe to AI Digester.

References

• Billing can be bypassed using a combo of subagents with an agent definition – GitHub (2026-02-03)
• VS Code Repository – GitHub (2026-02-03)
• GitHub Copilot Documentation – GitHub Docs (2026-02-03)