Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated endpoint gives PR:N; needing a browser-enabled session plus victim-loaded malicious content maps to AC:H and UI:R; pivot from web context into the container justifies S:C with full session compromise.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Cursor is a code editor built for programming with AI. Prior to the Cloud Agent fix on 03/31/2026, browser-enabled Cursor Cloud Agent sessions allowed attacker-controlled web content to connect from inside the agent container to an unauthenticated local agent endpoint, enabling code execution within the affected Cloud Agent sandbox or session and access to files, repository contents, environment variables, credentials, and GitHub App access tokens available to that session. This issue was fixed on 03/31/2026 by requiring authentication for the relevant agent endpoint.
AnalysisAI
Server-side request forgery leading to code execution in Cursor's browser-enabled Cloud Agent lets attacker-controlled web content reach an unauthenticated local agent endpoint from inside the sandbox, compromising the session. Affecting Cursor Cloud Agent sessions prior to the 03/31/2026 fix, an attacker who gets a browsing agent to load malicious content can run code in the sandbox and read repository contents, environment variables, credentials, and GitHub App access tokens scoped to that session. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a Cursor Cloud Agent session running in browser-enabled mode (the web-browsing capability must be active) and the agent must load attacker-controlled web content, which then connects from inside the agent container to the unauthenticated local agent endpoint. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score is 7.7 (High) with vector AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L: network reachable and unauthenticated (PR:N) with full high impact to the vulnerable session, but tempered by an attack requirement (AT:P) and passive user interaction (UI:P) - the victim must be running a browser-enabled agent session that loads the attacker's content, so this is not a fire-and-forget internet-wide exploit. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker plants malicious content on a web page (or a page the agent is likely to be pointed at) and a developer runs a browser-enabled Cursor Cloud Agent task that loads it; the page's content connects to the unauthenticated local agent endpoint inside the container and executes commands. The attacker then reads the cloned repository, environment variables, and the session's GitHub App access token and exfiltrates them. … |
| Remediation | No user action is required for the primary fix: the vendor remediated the issue server-side on 03/31/2026 by requiring authentication for the previously unauthenticated agent endpoint, so all Cloud Agent sessions after that date are covered (Patch available per vendor advisory - see https://github.com/cursor/cursor/security/advisories/GHSA-whx2-4gvm-m3r3). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: disable Cursor Cloud Agent's browser functionality or restrict browsing to a curated allowlist of approved URLs only, and audit session activity logs for suspicious activity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Cursor AI code editor before 2.3 allows prompt injection to bypass the Agent's Allowlist mode. Shell built-ins can execu
Sandbox escape leading to non-sandboxed remote code execution in Cursor (the AI code editor) prior to version 3.0, where
Sandbox escape leading to non-sandboxed remote code execution affects the Cursor AI code editor prior to version 3.0, wh
Cursor is a code editor built for programming with AI. In versions 1.7 and below, automatic loading of project-specific
Cursor is a code editor built for programming with AI. In versions 1.7 and below, when MCP uses OAuth authentication wit
Cursor is a code editor built for programming with AI. versions up to 2.0 is affected by os command injection.
Unauthorized hook command execution in Cursor Desktop versions prior to 3.0.0 allows a malicious workspace to silently r
Cursor is a code editor built for programming with AI. Versions 1.6.23 and below contain case-sensitive checks in the wa
Cursor versions before 2.5 allow sandbox escape through improper .git configuration file protections, enabling malicious
Cursor is a code editor built for programming with AI. Versions 1.6 and below are vulnerable to Remote Code Execution (R
Cursor is a code editor built for programming with AI. In versions 1.7 and below, a vulnerability in the way Cursor CLI
Cursor is a code editor built for programming with AI. In versions 1.6 and below, Mermaid (a to render diagrams) allows
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44674