Critical Vulnerability in Cursor AI Exposes Developer Credentials to Malicious Extensions
A significant security flaw has been identified in Cursor, a widely used AI-powered integrated development environment (IDE), which allows any installed extension to access developers’ API keys and session tokens without their knowledge. This vulnerability, rated with a high severity score of 8.2 on the Common Vulnerability Scoring System (CVSS), poses a substantial risk to developers and organizations relying on Cursor for their coding activities.
Understanding the Vulnerability
The core of this issue lies in Cursor’s handling of sensitive credentials. Unlike many secure applications that store such information in protected operating system keychains, Cursor saves API keys and session tokens in an unprotected local SQLite database located at `~/Library/Application Support/Cursor/User/globalStorage/state.vscdb`. This storage method lacks adequate access controls, allowing any installed extension to read the database file without requiring special permissions.
This design flaw means that malicious extensions can exploit the vulnerability by accessing and exfiltrating sensitive data without triggering any alerts or requiring user interaction. The exploitation process is straightforward and involves the following steps:
1. Publication of Malicious Extension: An attacker publishes an extension that appears legitimate, such as a custom theme or productivity tool, to the Cursor extension marketplace.
2. Installation by Developer: A developer installs the extension, unaware of its malicious intent, as no permission warnings are presented regarding credential access.
3. Credential Extraction: The malicious extension silently queries the local SQLite database to retrieve stored API keys and session tokens.
4. Data Exfiltration: The extracted credentials are transmitted to a remote server controlled by the attacker, all without any visible changes to the user interface.
Potential Consequences
The implications of this vulnerability are severe, especially considering the widespread use of third-party AI services within Cursor. Stolen credentials can lead to:
– Unauthorized Access: Attackers can gain full access to developers’ session tokens and backend services, compromising linked AI accounts such as those with OpenAI, Google, or Anthropic.
– Financial Losses: Malicious actors can exploit stolen API keys to generate unauthorized usage charges, potentially resulting in significant financial losses for affected individuals and organizations.
– Data Exposure: Sensitive information, including private data, previous chat prompts, and code metadata, can be accessed and misused by attackers.
Vendor Response and Current Status
The vulnerability was reported to Cursor’s security team on February 1, 2026. The team acknowledged the report on February 5, stating that extensions operate within the same local trust boundary as the user and that any local application with file system access could potentially read the data. As of April 28, 2026, the vulnerability remains unpatched, with the vendor maintaining that it is the user’s responsibility to install only trusted extensions.
Recommendations for Developers
Given the current status, developers are advised to:
– Audit Installed Extensions: Regularly review and assess all installed extensions for legitimacy and trustworthiness.
– Avoid Unverified Extensions: Refrain from installing extensions from unverified or unknown sources to minimize the risk of credential compromise.
– Monitor for Unauthorized Access: Implement monitoring mechanisms to detect any unauthorized access or unusual activity within development environments.
Call for Enhanced Security Measures
To mitigate such vulnerabilities, it is imperative for development tools like Cursor to implement strict isolation boundaries between extensions and sensitive data. Storing credentials in encrypted, system-level storage solutions, such as the Windows Credential Manager or macOS Keychain, would provide an additional layer of security. Until such measures are adopted, developers must exercise heightened vigilance to protect their credentials and maintain the integrity of their development environments.
