CVE-2026-22708 | THREATINT

Description

Cursor is a code editor built for programming with AI. Prior to 2.3, hen the Cursor Agent is running in Auto-Run Mode with Allowlist mode enabled, certain shell built-ins can still be executed without appearing in the allowlist and without requiring user approval. This allows an attacker via indirect or direct prompt injection to poison the shell environment by setting, modifying, or removing environment variables that influence trusted commands. This vulnerability is fixed in 2.3.

PUBLISHED Reserved 2026-01-08 | Published 2026-01-14 | Updated 2026-01-14 | Assigner GitHub_M

HIGH: 7.2CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

Problem types

CWE-15: External Control of System or Configuration Setting

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-94: Improper Control of Generation of Code ('Code Injection')

CWE-269: Improper Privilege Management

Product status

< 2.3

affected

References

github.com/...cursor/security/advisories/GHSA-82wg-qcm4-fp2w

cve.org (CVE-2026-22708)

nvd.nist.gov (CVE-2026-22708)

Download JSON