A critical remote code execution (RCE) vulnerability has been identified in the Cursor AI Code Editor that allows an attacker to execute arbitrary commands on a developer’s machine the moment a project folder is opened.
Discovered by the research team at Oasis Security, the flaw exploits a default configuration in Cursor that mirrors Visual Studio Code’s “Workspace Trust” feature but leaves it disabled by default, bypassing any user consent prompts.
Vulnerability Details
Cursor’s default installation ships with Workspace Trust turned off, meaning the editor will automatically run tasks defined in a project without verifying whether the code origin is secure.
An attacker can craft a malicious repository containing a specially configured .vscode/tasks.json file that sets the runOptions.runOn parameter to “folderOpen.”
Once a developer opens the compromised project folder in Cursor, any commands listed in that task file execute under the user’s security context without any warning.
This transforms a routine code pull into a hidden execution chain, silently running scripts that could install backdoors, exfiltrate files, or modify system settings.
Developer workstations often store high-privilege credentials, including cloud API keys, personal access tokens, and active sessions to critical services.
Exploiting this flaw grants immediate access to such secrets, enabling data theft or lateral movement.
From the initial foothold, an attacker can pivot into connected CI/CD pipelines and cloud infrastructure, potentially compromising service accounts with broad permissions.
This kind of non-human identity takeover can lead to widespread organizational exposure, turning a single malicious repository into the starting point for a full-scale supply chain attack.
Mitigation Recommendations
Cursor has acknowledged the issue and plans to publish updated security guidance.
In the interim, development teams should manually enable Workspace Trust in Cursor’s settings to ensure task execution requires explicit user approval.
It is also advisable to set the task.allowAutomaticTasks preference to “off,” preventing any automatic tasks from running regardless of trust status.
Unknown or untrusted repositories should be opened in isolated environments, such as disposable containers or virtual machines, to contain potential execution.
Security teams integrating Cursor into their toolchains should update organizational policies to include workspace trust checks and continuous monitoring of developer environments for unauthorized file changes.
The discovery underscores the need for robust default security configurations in AI-assisted development tools.
As AI-driven code editors become more widely adopted, ensuring that external context cannot silently trigger local operations will be vital to protecting the software supply chain and the integrity of development environments.
Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=Cursor’s default installation ships with Workspace Trust turned off, meaning the editor will automatically run tasks defined in a project without verifying whether the code origin is secure.){kind=link}