CVE-2026-22708
📋 TL;DR
This vulnerability in Cursor AI code editor allows attackers to execute shell built-ins without allowlist approval when the Cursor Agent runs in Auto-Run Mode with Allowlist mode enabled. Attackers can poison the shell environment by manipulating environment variables that influence trusted commands. Users running Cursor Agent in Auto-Run Mode with Allowlist mode enabled are affected.
💻 Affected Systems
- Cursor AI Code Editor
📦 What is this software?
Cursor by Anysphere
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via environment variable manipulation leading to arbitrary code execution, data theft, or lateral movement within the environment.
Likely Case
Local privilege escalation, unauthorized command execution, or manipulation of development environments and build processes.
If Mitigated
Limited impact if Auto-Run Mode is disabled or proper network segmentation isolates vulnerable systems.
🎯 Exploit Status
Requires prompt injection or social engineering to trigger the vulnerability. Exploitation depends on user interaction with the AI agent.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3
Vendor Advisory: https://github.com/cursor/cursor/security/advisories/GHSA-82wg-qcm4-fp2w
Restart Required: Yes
Instructions:
1. Open Cursor editor. 2. Go to Settings > About. 3. Check current version. 4. If below 2.3, update via built-in updater or download from official website. 5. Restart Cursor after update.
🔧 Temporary Workarounds
Disable Auto-Run Mode
allTurn off Auto-Run Mode in Cursor Agent settings to prevent automatic execution without user approval.
Open Cursor > Settings > Cursor Agent > Disable 'Auto-Run Mode'
Disable Allowlist Mode
allDisable Allowlist mode or switch to a more restrictive mode if Auto-Run must remain enabled.
Open Cursor > Settings > Cursor Agent > Change 'Allowlist Mode' to disabled or more restrictive setting
🧯 If You Can't Patch
- Disable Cursor Agent entirely in settings if not required for workflow
- Implement network segmentation to isolate systems running vulnerable Cursor versions from critical infrastructure
🔍 How to Verify
Check if Vulnerable:
Check Cursor version in Settings > About. If version is below 2.3 and Cursor Agent is configured with Auto-Run Mode and Allowlist mode enabled, system is vulnerable.Check Version:
In Cursor: Open Settings > About to view versionVerify Fix Applied:
After updating to 2.3, verify version in Settings > About shows 2.3 or higher. Test that shell built-ins now require proper allowlist approval.📡 Detection & Monitoring
Log Indicators:
- Unexpected shell command executions from Cursor process
- Environment variable modifications by Cursor Agent
- Allowlist bypass attempts in Cursor logs
Network Indicators:
- Unusual outbound connections from Cursor process to unexpected destinations
SIEM Query:
process_name:"Cursor" AND (command_line:"env" OR command_line:"export" OR command_line:"set") AND NOT user_approved:true