DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-22708: Trust Issues: Bypassing Cursor AI's 'Safe Mode' via Shell Built-ins

#security #cve #cybersecurity

Trust Issues: Bypassing Cursor AI's 'Safe Mode' via Shell Built-ins

Vulnerability ID: CVE-2026-22708
CVSS Score: 7.2
Published: 2026-01-14

A logic flaw in Cursor AI's terminal allowlist allowed attackers to execute arbitrary code by leveraging shell built-ins like 'export' and 'alias' to poison the environment, effectively bypassing security restrictions.

TL;DR

Cursor AI's 'Auto-Run' mode promised safety via a command allowlist. However, it only scrutinized external binaries, completely ignoring shell built-ins. By tricking the AI into running commands like export PATH=... or alias, an attacker could poison the shell environment. The next time a 'safe' command (like git) was executed, the shell would invoke a malicious payload instead, resulting in full RCE.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-78 (OS Command Injection)
  • Attack Vector: Network (Prompt Injection)
  • CVSS Score: 7.2 (High)
  • CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
  • EPSS Score: 0.00054 (Low Probability)
  • Exploit Status: Proof of Concept (PoC)
  • Affected Component: Cursor Agent / Terminal Tool

Affected Systems

  • Cursor AI Code Editor (macOS)
  • Cursor AI Code Editor (Linux)
  • Cursor AI Code Editor (Windows)
  • Cursor: < 2.3 (Fixed in: 2.3)

Exploit Details

  • Pillar Security: Research notes detailing the bypass of Cursor's allowlist via environment poisoning.

Mitigation Strategies

  • Disable Auto-Run Mode in Cursor settings to enforce human-in-the-loop verification.
  • Treat shell built-ins (export, alias, source) as high-risk commands.
  • Isolate AI development environments using containers or VMs.

Remediation Steps:

  1. Update Cursor to version 2.3 or later via the internal updater or official website.
  2. Verify that the 'Allowlist' settings are correctly configured and not set to allow all.
  3. Review shell history (~/.zsh_history or ~/.bash_history) for unexpected export or alias commands if you suspect compromised sessions.

References

Read the full report for CVE-2026-22708 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)