Description
Cursor is a code editor built for programming with AI. Prior to 2.3, hen the Cursor Agent is running in Auto-Run Mode with Allowlist mode enabled, certain shell built-ins can still be executed without appearing in the allowlist and without requiring user approval.
This allows an attacker via indirect or direct prompt injection to poison the shell environment by setting, modifying, or removing environment variables that influence trusted commands. This vulnerability is fixed in 2.3.
Published: 2026-01-14
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Command Injection leading to Unauthorized Execution
Action: Immediate Patch
AI Analysis

Impact

Cursor versions prior to 2.3 allow an Allowlist mode to be bypassed through environment variable manipulation, enabling shell built‑ins to run without user approval. This vulnerability can be triggered by direct or indirect prompt injection, enabling an attacker to poison the shell environment, alter environment variables that influence trusted commands, and potentially execute arbitrary commands or elevate privileges within the user session.

Affected Systems

The affected product is Cursor, a code editor that supports AI programming. All releases earlier than version 2.3 are vulnerable. This includes any 2.2.x or earlier snapshot of Cursor.

Risk and Exploitability

The vulnerability has a CVSS score of 7.2, indicating high severity. The EPSS score is less than 1%, suggesting a low probability of exploitation at present. It is not listed in the CISA KEV catalog. The likely attack vector involves manipulating environment variables via prompt injection or local configuration changes when the Cursor Agent operates in Auto‑Run Mode with Allowlist enabled, leading to unauthorized command execution.

Generated by OpenCVE AI on April 18, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cursor to version 2.3 or later, which contains the fix for the allowlist bypass.
  • Disable Auto‑Run Mode or require explicit user approval for all shell commands to eliminate the bypass path.
  • Audit and sanitize any input or configuration that may set or alter environment variables used by Cursor before execution.

Generated by OpenCVE AI on April 18, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Anysphere
Anysphere cursor
CPEs cpe:2.3:a:anysphere:cursor:*:*:*:*:*:*:*:*
Vendors & Products Anysphere
Anysphere cursor
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 15 Jan 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Cursor
Cursor cursor
Vendors & Products Cursor
Cursor cursor

Wed, 14 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 17:00:00 +0000

Type Values Removed Values Added
Description Cursor is a code editor built for programming with AI. Prior to 2.3, hen the Cursor Agent is running in Auto-Run Mode with Allowlist mode enabled, certain shell built-ins can still be executed without appearing in the allowlist and without requiring user approval. This allows an attacker via indirect or direct prompt injection to poison the shell environment by setting, modifying, or removing environment variables that influence trusted commands. This vulnerability is fixed in 2.3.
Title Cursor has a Terminal Tool Allowlist Bypass via Environment Variables
Weaknesses CWE-15
CWE-269
CWE-74
CWE-77
CWE-78
CWE-94
References
Metrics cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Anysphere Cursor
Cursor Cursor
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-14T16:59:53.022Z

Reserved: 2026-01-08T19:23:09.857Z

Link: CVE-2026-22708

cve-icon Vulnrichment

Updated: 2026-01-14T16:59:50.213Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-14T17:16:08.980

Modified: 2026-02-03T18:36:39.670

Link: CVE-2026-22708

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:30:25Z

Weaknesses