CVE: [pending] | Vendor: Anysphere | Product: Cursor IDE
What Is the Vulnerability
Two critical remote code execution (RCE) vulnerabilities have been discovered in Cursor IDE, the AI-powered development environment used by over 50% of Fortune 500 companies. These flaws enable zero-click exploitation via prompt injection, where a maliciously crafted prompt — delivered through seemingly innocuous channels such as a README file, code comment, or chat message — can trigger arbitrary code execution on the developer’s workstation without any user interaction beyond opening a project or viewing a file.
The attack surface is the AI integration layer itself. Prompt injection, previously considered primarily a data-exfiltration or prompt-leaking risk, now serves as a direct vector to RCE. This represents a fundamental shift in how we must think about AI agent security within development tools. When an AI coding assistant has filesystem access, shell execution capabilities, and the ability to run terminal commands, a compromised prompt becomes a remote shell.
Versions Affected
- Cursor IDE versions prior to the latest patched release
- All platforms: macOS, Windows, Linux
Exploited?
No confirmed active exploitation in the wild at the time of disclosure. However, the zero-click nature and the ubiquity of Cursor IDE in enterprise environments make this a high-priority patching target.
Fix
Update Cursor IDE to the latest version immediately. Anysphere has released patches that introduce stricter sandboxing around AI-initiated terminal commands and improved prompt sanitization. Users should enable auto-updates if not already configured.
Recommendations
- Patch immediately: This is your top priority. The attack requires no user click — merely opening a project with a malicious prompt is sufficient.
- Audit dev workstation security: Developer machines hold source code, CI/CD credentials, cloud deployment keys, and production access tokens. Treat them as Tier 0 assets.
- Restrict AI tool permissions: Configure Cursor IDE to require explicit approval for terminal command execution. Turn off any auto-execute settings.
- Scan repositories for malicious prompts: Implement pre-receive hooks or CI checks that flag suspicious prompt-injection patterns in code comments, README files, and documentation.
- Network segmentation: Developer workstations should not have unfettered access to production environments. Use jump hosts, zero-trust access, and just-in-time credential issuance.
- Monitor for this being the third IDE/dev-tool vulnerability this week: Following JetBrains and Gitea act_runner disclosures, a pattern is emerging. Threat actors are aggressively targeting the development toolchain. Review your entire SDLC tooling inventory.
References
Part of the Vulnerability Intelligence series. See the July 3, 2026 VIR.
