Critical Cursor AI Extension Bug Exposes Developer Tokens
Key Takeaways A critical access-control vulnerability (CVSS 8.2) has been discovered in Cursor, an AI-powered coding environment. The flaw allows malicious extensions to steal sensitive developer API...
Key Takeaways
- A critical access-control vulnerability (CVSS 8.2) has been discovered in Cursor, an AI-powered coding environment.
- The flaw allows malicious extensions to steal sensitive developer API keys and session tokens.
- The issue stems from Cursor storing credentials in an unprotected local SQLite database without proper access controls.
- As of April 28, 2026, the vulnerability remains unpatched, with the vendor stating it is the user’s responsibility to install trusted extensions.
Critical Flaw in Cursor AI Exposes Developer Credentials
A severe security vulnerability, identified as CVE-2026-XXXX (CVSS score 8.2), has been uncovered in Cursor, a popular AI-driven coding platform. This high-severity flaw could lead to the complete compromise of developer credentials, including API keys and session tokens, posing a significant risk to users.
Table Of Content
Security researchers at LayerX discovered that the architectural design of Cursor permits any installed extension to surreptitiously access a developer’s API keys and session tokens. This unhindered access bypasses typical security safeguards, enabling a total credential compromise without triggering alerts or requiring user interaction.
Underlying Technical Details
Unlike many secure applications that leverage protected operating system keychains for storing sensitive data, Cursor stores these critical credentials in an unencrypted, local SQLite database. This database is located at ~/Library/Application Support/Cursor/User/globalStorage/state.vscdb on affected systems.
The core of the vulnerability lies in Cursor’s lack of robust access control boundaries between its extensions and this sensitive database. Consequently, any installed extension, regardless of its origin or perceived trustworthiness, can read the contents of this file. The exploit requires no special privileges, making it trivial for a rogue add-on to extract plaintext data.
The exploitation process is straightforward and requires minimal attack complexity. A realistic attack scenario unfolds as follows:
- An attacker publishes an extension that appears legitimate, such as a custom theme or a productivity tool, to the Cursor marketplace.
- A developer installs this seemingly innocuous extension without receiving any security warnings about potential credential access.
- The malicious extension then silently queries the local SQLite database to retrieve stored API keys and session tokens.
- Finally, the stolen data is exfiltrated to a remote server controlled by the attacker, all without any visible changes to the user interface or system alerts.
Potential Impact of Credential Theft
Given the widespread adoption of third-party AI services within the Cursor environment, the repercussions of this vulnerability could be substantial. Stolen credentials create a direct pathway to several critical risks:
- Full exposure of session tokens, granting unauthorized access to backend services.
- Compromise of linked AI accounts from providers such as OpenAI, Google, or Anthropic.
- Significant financial losses due to attackers racking up automated usage charges on compromised API keys.
- Unauthorized access to private data, historical chat prompts, and other sensitive code metadata.
Vendor Response and Status
LayerX initially reported this critical issue to Cursor on February 1, 2026. Cursor’s security team acknowledged the report on February 5, but indicated that extensions operate within the same local trust boundary as the user. They contended that any local application with filesystem access could potentially read this data.
As of April 28, 2026, the vulnerability remains unpatched. The vendor’s stance is that it is solely the user’s responsibility to install only trusted extensions. However, security experts strongly advocate for Cursor to implement stringent isolation boundaries between extensions and to migrate sensitive credentials to encrypted, system-level storage solutions, such as the Windows Credential Manager or macOS Keychain, to properly secure user data.
What You Should Do
- Until a permanent fix is deployed by Cursor, developers should exercise extreme caution and meticulously audit all installed extensions.
- Avoid downloading and installing unverified or untrusted tools from the marketplace.
- Consider limiting the use of sensitive API keys within the Cursor environment if possible.
- Regularly rotate API keys and monitor for any unauthorized activity on linked AI service accounts.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.