5 RCE Vulnerabilities in the Most Popular AI Code Editor
across five critical CVEs in Cursor — the AI code editor with millions of users. Attackers could execute arbitrary code by poisoning MCP configs, exploiting case-sensitivity mismatches, or simply tricking a developer into opening a folder.
The Incidents
Between mid-2025 and early 2026, security researchers disclosed five high-severity remote code execution vulnerabilities in Cursor, the AI-powered code editor built on VS Code with millions of active developers. The vulnerabilities exploit the trust model between the editor, its AI agent, and the MCP (Model Context Protocol) server ecosystem.
The Vulnerabilities
MCPoison — CVE-2025-54136
Discovered by Check Point Research. Cursor’s MCP integration uses a one-time approval model: once a user approves an MCP server, its configuration is trusted indefinitely. An attacker who modifies the MCP configuration file after approval has their modified command executed silently — both during repository sync and every time Cursor reopens. The trust is never re-validated.
CurXecute — CVE-2025-54135
A companion flaw in how Cursor handles MCP server naming and configuration. Together with MCPoison, the two vulnerabilities allow persistent code execution through poisoned MCP definitions that survive editor restarts.
Case-Sensitivity Bypass — CVE-2025-59944
Discovered by Lakera. A subtle case-sensitivity mismatch in file path validation allowed attackers to bypass protections on configuration files. A path that should have been blocked could be accessed by changing character casing — the check compared case-sensitively, but the filesystem resolved case-insensitively. This allowed untrusted content to modify protected config files, leading to RCE.
Open-Folder Autorun
Discovered by Oasis Security. Cursor ships with VS Code’s Workspace Trust feature disabled by default. This means .vscode/tasks.json files configured with runOptions.runOn: "folderOpen" auto-execute the moment a developer opens a project. A malicious repository needs nothing more than a crafted tasks file — cloning and opening is the entire attack chain.
Shell Built-in Bypass — CVE-2026-22708
In Cursor versions prior to 2.3, when the AI Agent runs in Auto-Run Mode with an allowlist, certain shell built-ins can still execute without appearing in the allowlist. An attacker — via direct or indirect prompt injection — can poison the shell environment by setting, modifying, or removing environment variables. This is particularly dangerous because it means a prompt injection in a code comment can escalate to environment manipulation.
The Pattern
Every one of these vulnerabilities exploits the gap between what the editor’s AI agent is allowed to do and what it should be allowed to do. The trust model is binary — once approved, always trusted. There’s no re-validation, no scope narrowing, no anomaly detection. The AI agent operates with the developer’s full permissions, and the attack surface is the entire set of files the developer might open.
The Lesson
AI code editors are not just text editors with autocomplete. They are autonomous agents with filesystem access, shell access, and network access. Every integration point — MCP servers, workspace tasks, extension APIs — is an attack surface. The security model must match the privilege level, and right now it does not.