Security researchers at LayerX have uncovered a high-severity vulnerability in the popular AI-powered development environment, Cursor. Dubbed “CursorJacking,” this flaw carries a CVSS score of 8.2 and exposes developers to immediate credential theft. Any installed extension can silently access a user’s API keys and session tokens without requiring special permissions or user interaction.
Standard security practices dictate that applications store sensitive secrets in protected environments, such as the macOS Keychain or Windows Credential Manager. Cursor bypasses this critical safeguard by storing authentication credentials in a local, unencrypted SQLite database.
The database is located at a predictable filepath on the user’s local machine. Crucially, the application fails to enforce access control boundaries between its extensions and this database file. This architectural oversight means any extension can directly read the database to extract sensitive data, regardless of its declared permissions.
How the Attack Works
Exploiting this vulnerability requires incredibly low effort from an attacker. The attack flow follows a straightforward execution path:
- An attacker publishes a seemingly harmless extension, such as a custom theme or coding utility.
- A developer installs the extension without receiving any security warnings or prompts for permission.
- The malicious extension automatically queries the local SQLite database.
- The extension extracts the plaintext API keys and session tokens from the file.
- The stolen data is silently transmitted to an external server controlled by the attacker.
The lack of access control creates a powerful attack primitive that extends well beyond the Cursor application itself. Since developers use powerful API keys to drive their coding environments, the fallout can be catastrophic. The primary impacts include:
- Financial losses from attackers running up large billing charges on stolen OpenAI or Anthropic keys.
- Exposure of sensitive source code, metadata, and proprietary data from prior AI prompts.
- Total compromise of third-party integrations and unauthorized access to backend services.
- Complete user impersonation enables further downstream attacks.
LayerX officially disclosed this vulnerability to Cursor on February 1, 2026. On February 5, Cursor responded by stating that extensions share the same trust boundary as any other local application. The vendor argued that it remains the user’s responsibility to vet the extensions they choose to install thoroughly.
As of late April 2026, Cursor has not released a patch or architectural fix for this issue. Security experts strongly recommend that Cursor update its design to enforce strict isolation between extensions and handle all sensitive credentials exclusively through secure, system-level keychains. Until a patch is deployed, developers must exercise extreme caution when downloading third-party add-ons.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
