vibe-coding cursor security rce supply-chain

Cursor's Safe Mode Was Anything But

The Feature That Wasn’t

Cursor ships with something called Auto-Run Mode. It’s exactly what it sounds like — the AI agent executes terminal commands on your behalf without asking first. Because who has time to read what’s happening in their own terminal, right?

To their credit, Cursor added an allowlist. You specify which commands are okay to run automatically, and everything else gets blocked. In theory, this means you can let the agent run git status and npm test without worrying about it rm -rf-ing your home directory.

In practice, CVE-2026-22708 proved that theory was garbage.

Shell Built-Ins Don’t Care About Your Allowlist

Here’s the thing about shell built-ins like export, set, and unset — they’re not external commands. They’re part of the shell itself. And Cursor’s allowlist validation? It only checked external commands. Built-ins sailed right through without so much as a polite knock.

That means an attacker — via prompt injection, a poisoned repo, a malicious .cursorrules file, whatever — could run export PATH=/tmp/evil:$PATH without triggering any allowlist check. Your allowlist says only git and npm are approved? Cool. Now git resolves to /tmp/evil/git, which is actually a script that exfiltrates your SSH keys, AWS credentials, and whatever else is lying around in your environment.

The attacker doesn’t need to run a blocked command. They just need to make your trusted commands untrustworthy.

The Attack Chain Is Embarrassingly Simple

Let’s walk through it. An attacker drops a prompt injection payload into a README, a code comment, or any file the Cursor agent might read. The payload tells the agent to run a few harmless-looking shell built-ins:

export PATH="/tmp/malicious:$PATH"
export LD_PRELOAD="/tmp/malicious/hook.so"

Neither of these triggers the allowlist. They’re built-ins. Now when the agent runs npm install — a command you explicitly approved — it’s loading a hijacked binary or injecting a shared library that intercepts every system call.

Game over. The attacker has code execution on your machine, running under your user account, with access to every credential, token, and secret you’ve got.

The Bigger Problem Nobody Wants to Talk About

CVE-2026-22708 is fixed in Cursor 2.3. Update and move on, right? Except the real issue isn’t one CVE. It’s the entire mental model.

Auto-Run Mode exists because vibe coding’s entire value proposition is removing friction. The developer doesn’t want to approve every command. The AI agent is supposed to just do things. But “just doing things” in a terminal is indistinguishable from “just running arbitrary code,” and the gap between those two concepts is exactly where attackers live.

Allowlists are a band-aid on a design that’s fundamentally at odds with security. You’re giving an AI agent — one that can be manipulated through prompt injection in any file it reads — unsupervised access to a shell. The allowlist is a locked front door on a house with no walls.

What You Should Actually Do

First, update to Cursor 2.3 or later. That’s the obvious one.

Second, disable Auto-Run Mode entirely. Yes, it’s slower. Yes, you’ll have to read terminal commands before they execute. That’s called software development. We used to do it all the time.

Third, stop trusting any AI agent with unsupervised terminal access. Not Cursor, not any tool. The prompt injection surface is too large, the attack chains are too simple, and the consequences are total machine compromise. Every “auto-run” feature in every AI coding tool is a variant of this same vulnerability waiting to happen.

The vibe coders will tell you that reviewing commands manually kills the flow. Maybe. But you know what else kills the flow? Explaining to your security team why your AWS credentials ended up on a BreachForums post because you let an AI agent run export without asking.

← Back to all posts