Security Advisory

Cursor AI CVE & Security Incidents

Documented vulnerabilities, security incidents, and risks affecting Cursor IDE users. Updated as new issues are disclosed.

Scan Your Cursor-Built App

Check if your AI-generated code has security issues.

1
Critical
3
High
3
Ongoing
20
Mitigations

Timeline

2024 Q4

MCP vulnerability class publicly discussed

2024 Q3

Multiple prompt injection techniques demonstrated

2024 Q2

Cursor gains significant market share, increasing attacker interest

2024 Q1

VS Code extension supply chain attacks affect Cursor users

2023

Initial security concerns raised about AI coding assistants

Documented Vulnerabilities

MCP Server Arbitrary Code Execution

criticalBy Design

Model Context Protocol (MCP) servers in Cursor can execute arbitrary code on the host machine with user-level privileges. While this is intentional functionality, security researchers demonstrated that malicious MCP servers could compromise systems completely.

CVE:N/A - Architectural Issue
Disclosed:December 2024

Technical Details

  • MCP servers run with the same privileges as Cursor IDE
  • No sandboxing or permission restrictions on MCP server execution
  • Servers can access filesystem, network, and execute shell commands
  • Social engineering could trick users into installing malicious MCP servers

Impact

  • Complete system compromise if malicious MCP server installed
  • Data exfiltration from local filesystem
  • Credential theft from environment variables and configs
  • Potential for lateral movement in enterprise networks

Mitigation

  • Only install MCP servers from verified, trusted sources
  • Review MCP server source code before installation
  • Run Cursor with minimal filesystem access when possible
  • Monitor network activity from Cursor processes
  • Consider using Cursor in containerized environments for sensitive work
Model Context Protocol Documentation

AI Context Prompt Injection

highOngoing Issue

Malicious code in opened projects can contain hidden prompt injection attacks that influence Cursor's AI responses. Attackers can embed instructions in comments, string literals, or file names that manipulate the AI to generate insecure or malicious code.

CVE:N/A - Class of Vulnerability
Disclosed:2024

Technical Details

  • AI models process all visible code as context
  • Hidden instructions in comments can influence AI behavior
  • Unicode tricks can hide malicious prompts from human view
  • Repository names and README files contribute to context

Impact

  • AI may generate intentionally vulnerable code
  • Developers may unknowingly introduce security flaws
  • Supply chain attacks via malicious open source projects
  • Code review processes may miss AI-injected vulnerabilities

Mitigation

  • Be cautious when opening untrusted repositories
  • Carefully review all AI-generated code suggestions
  • Use Privacy Mode for work on untrusted projects
  • Don't auto-accept AI completions for security-sensitive code
  • Verify AI suggestions against known secure patterns

Credential Leakage via AI Prompts

highOngoing Issue

Users frequently paste code containing API keys, passwords, and secrets into Cursor's AI chat for debugging help. These credentials are transmitted to external AI providers (Anthropic, OpenAI) and may be logged, cached, or potentially used in training data.

CVE:N/A - User Behavior Issue
Disclosed:Ongoing

Technical Details

  • Chat context sent to external AI APIs for processing
  • No automatic detection/redaction of credentials in prompts
  • Third-party providers have their own data retention policies
  • Credentials may persist in various caches and logs

Impact

  • API keys and credentials exposed to third parties
  • Potential for credential theft if AI provider compromised
  • Compliance violations for regulated data
  • Risk of credentials appearing in AI training data

Mitigation

  • Never paste real credentials into AI prompts
  • Use placeholder values like 'YOUR_API_KEY'
  • Enable Privacy Mode for credential-heavy work
  • Immediately rotate any credentials that may have been exposed
  • Use tools to scan AI prompts for secrets before sending

VS Code Extension Supply Chain Risks

highInherited from VS Code

Cursor inherits VS Code's extension system and its associated supply chain risks. Malicious or compromised extensions can access all code, execute arbitrary commands, and exfiltrate data. Several high-profile supply chain attacks have affected VS Code extensions.

CVE:Various - See VS Code CVEs
Disclosed:Various

Technical Details

  • Extensions run with full IDE privileges
  • Limited extension permission model in VS Code/Cursor
  • Extensions can access filesystem, network, and terminal
  • Auto-update can pull in compromised versions

Impact

  • Code and secrets exfiltration via malicious extensions
  • Backdoor installation through compromised updates
  • Credential theft from development environments
  • Cryptominer and ransomware installation

Mitigation

  • Only install extensions from verified publishers
  • Review extension permissions and changelog before updates
  • Regularly audit installed extensions
  • Disable auto-update for critical development environments
  • Monitor extension network activity
VS Code Extension Security Best Practices

Built with Cursor? Check Your App

AI-generated code can contain subtle vulnerabilities. Our scanner checks for exposed secrets, auth issues, and common security misconfigurations.

Scan Your App Free

Frequently Asked Questions

Has Cursor been hacked?

As of our last update, there have been no publicly disclosed breaches of Cursor's infrastructure. However, the vulnerabilities documented on this page represent real security risks that affect Cursor users. The distinction is between 'Cursor the company being hacked' versus 'security issues affecting Cursor users.'

Are my credentials safe with Cursor?

Credentials you type into code files or AI prompts are sent to external AI providers (Anthropic, OpenAI) for processing, unless Privacy Mode is enabled. Cursor claims not to store code permanently, but third-party providers have their own policies. For maximum safety, never include real credentials in code that Cursor's AI will process.

What is the MCP vulnerability?

MCP (Model Context Protocol) allows Cursor to connect to external servers that can execute code on your machine. This is by design - it's how MCP extends Cursor's functionality. The 'vulnerability' is that this powerful capability can be abused by malicious MCP servers. Only install MCP servers from sources you trust completely.

Is Cursor safe for enterprise use?

Cursor can be used safely in enterprise environments with proper controls: enable Privacy Mode for sensitive projects, restrict MCP server installation, audit extensions, and use .cursorignore for sensitive files. Many enterprises use Cursor with security policies similar to other development tools.

Should I stop using Cursor?

Not necessarily. The vulnerabilities documented here affect all AI coding assistants to varying degrees. The key is using Cursor safely: enable Privacy Mode for sensitive work, be careful with MCP servers, review AI-generated code, and don't paste real credentials into AI prompts. These practices make Cursor reasonably safe for most development.

Last updated: January 2026

Related Resources

Cursor Security IssuesCursor Privacy ModeVibe Coding Dangers