Skip to main content

Cursor Cloud Agent EUVDEUVD-2026-44674

| CVE-2026-61613 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-07-15 GitHub_M
7.7
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.3 HIGH

Unauthenticated endpoint gives PR:N; needing a browser-enabled session plus victim-loaded malicious content maps to AC:H and UI:R; pivot from web context into the container justifies S:C with full session compromise.

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
Jul 15, 2026 - 17:48 EUVD
Analysis Generated
Jul 15, 2026 - 15:19 vuln.today
CVE Published
Jul 15, 2026 - 14:18 cve.org
HIGH 7.7

DescriptionCVE.org

Cursor is a code editor built for programming with AI. Prior to the Cloud Agent fix on 03/31/2026, browser-enabled Cursor Cloud Agent sessions allowed attacker-controlled web content to connect from inside the agent container to an unauthenticated local agent endpoint, enabling code execution within the affected Cloud Agent sandbox or session and access to files, repository contents, environment variables, credentials, and GitHub App access tokens available to that session. This issue was fixed on 03/31/2026 by requiring authentication for the relevant agent endpoint.

AnalysisAI

Server-side request forgery leading to code execution in Cursor's browser-enabled Cloud Agent lets attacker-controlled web content reach an unauthenticated local agent endpoint from inside the sandbox, compromising the session. Affecting Cursor Cloud Agent sessions prior to the 03/31/2026 fix, an attacker who gets a browsing agent to load malicious content can run code in the sandbox and read repository contents, environment variables, credentials, and GitHub App access tokens scoped to that session. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure agent to malicious web content
Delivery
Web content connects to local agent endpoint
Exploit
Bypass missing authentication (CWE-306)
Execution
Execute code in Cloud Agent sandbox
Persist
Read repo, env vars, credentials, GitHub tokens
Impact
Exfiltrate secrets to attacker

Vulnerability AssessmentAI

Exploitation Exploitation requires a Cursor Cloud Agent session running in browser-enabled mode (the web-browsing capability must be active) and the agent must load attacker-controlled web content, which then connects from inside the agent container to the unauthenticated local agent endpoint. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score is 7.7 (High) with vector AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L: network reachable and unauthenticated (PR:N) with full high impact to the vulnerable session, but tempered by an attack requirement (AT:P) and passive user interaction (UI:P) - the victim must be running a browser-enabled agent session that loads the attacker's content, so this is not a fire-and-forget internet-wide exploit. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker plants malicious content on a web page (or a page the agent is likely to be pointed at) and a developer runs a browser-enabled Cursor Cloud Agent task that loads it; the page's content connects to the unauthenticated local agent endpoint inside the container and executes commands. The attacker then reads the cloned repository, environment variables, and the session's GitHub App access token and exfiltrates them. …
Remediation No user action is required for the primary fix: the vendor remediated the issue server-side on 03/31/2026 by requiring authentication for the previously unauthenticated agent endpoint, so all Cloud Agent sessions after that date are covered (Patch available per vendor advisory - see https://github.com/cursor/cursor/security/advisories/GHSA-whx2-4gvm-m3r3). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: disable Cursor Cloud Agent's browser functionality or restrict browsing to a curated allowlist of approved URLs only, and audit session activity logs for suspicious activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Cursor

View all
CVE-2026-22708 CRITICAL
9.8 Jan 14

Cursor AI code editor before 2.3 allows prompt injection to bypass the Agent's Allowlist mode. Shell built-ins can execu

CVE-2026-50549 CRITICAL
9.3 Jun 25

Sandbox escape leading to non-sandboxed remote code execution in Cursor (the AI code editor) prior to version 3.0, where

CVE-2026-50548 CRITICAL
9.3 Jun 25

Sandbox escape leading to non-sandboxed remote code execution affects the Cursor AI code editor prior to version 3.0, wh

CVE-2025-61592 HIGH
8.8 Oct 03

Cursor is a code editor built for programming with AI. In versions 1.7 and below, automatic loading of project-specific

CVE-2025-61591 HIGH
8.8 Oct 03

Cursor is a code editor built for programming with AI. In versions 1.7 and below, when MCP uses OAuth authentication wit

CVE-2026-31854 HIGH
8.8 Mar 11

Cursor is a code editor built for programming with AI. versions up to 2.0 is affected by os command injection.

CVE-2026-48124 HIGH
8.5 Jun 15

Unauthorized hook command execution in Cursor Desktop versions prior to 3.0.0 allows a malicious workspace to silently r

CVE-2025-59944 HIGH
8.0 Oct 03

Cursor is a code editor built for programming with AI. Versions 1.6.23 and below contain case-sensitive checks in the wa

CVE-2026-26268 HIGH
8.0 Feb 13

Cursor versions before 2.5 allow sandbox escape through improper .git configuration file protections, enabling malicious

CVE-2025-61590 HIGH
7.5 Oct 03

Cursor is a code editor built for programming with AI. Versions 1.6 and below are vulnerable to Remote Code Execution (R

CVE-2025-61593 HIGH
7.1 Oct 03

Cursor is a code editor built for programming with AI. In versions 1.7 and below, a vulnerability in the way Cursor CLI

CVE-2025-61589 MEDIUM
5.9 Oct 03

Cursor is a code editor built for programming with AI. In versions 1.6 and below, Mermaid (a to render diagrams) allows

Share

EUVD-2026-44674 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy