What is CVE-2026-22708 and which versions of Cursor are affected?

CVE-2026-22708 is a sandbox bypass in Cursor's Auto-Run Mode that allows shell environment variable poisoning through implicitly trusted built-ins like export, typeset, and declare. All Cursor versions prior to 2.3 are affected when Auto-Run Mode is enabled alongside Allowlist mode.

Can this be exploited without user interaction?

Yes. Researchers at Pillar Security documented both zero-click and one-click variants. In the zero-click path, an attacker exploits shell syntax and parameter expansion via prompt injection to execute arbitrary code with no user approval step. The one-click path requires the user to approve a seemingly safe command that then triggers malicious code through the poisoned environment.

What should developers do right now?

Upgrade to Cursor version 2.3 immediately. If immediate patching is not possible, disable Auto-Run Mode in Cursor settings until the upgrade is applied. Treat any project opened in Cursor that contains third-party dependencies or MCP-connected data as a potential prompt injection surface.

CVE-2026-22708: Cursor Allowlist Bypass Turns Safe Commands Into RCE

Cursor, the agentic IDE used by hundreds of thousands of developers, shipped a critical sandbox bypass in versions prior to 2.3. Tracked as CVE-2026-22708, the vulnerability allows an attacker to poison a developer’s shell environment through shell built-ins that Cursor’s allowlist mechanism implicitly trusts, converting approved commands into arbitrary code execution. The attack works with no user interaction in its most dangerous form.

The Allowlist That Doesn’t

Cursor’s Auto-Run Mode lets the AI agent execute terminal commands autonomously. To limit risk, the feature supports an Allowlist that restricts which commands the agent can run without explicit approval. The design assumption is straightforward: only allowlisted commands execute, everything else requires the user to approve.

CVE-2026-22708 breaks that assumption at the shell level. Shell built-ins like export, typeset, and declare are not command-line programs that show up in the allowlist evaluation. They are built directly into the shell interpreter and execute without appearing in the list of commands the agent is authorised to run. An attacker who can influence the Cursor agent’s inputs through prompt injection can use these built-ins to modify environment variables before a legitimate, allowlisted command executes.

The result: an approved command like git branch or python3 script.py inherits a poisoned environment and becomes an arbitrary code execution vector, even though neither the allowlist nor the user’s approval flow flagged anything unusual.

Two Exploit Paths

Pillar Security researchers documented two distinct exploitation paths. The zero-click variant requires no user interaction at all. By chaining shell syntax and parameter expansion features, an attacker can trigger code execution entirely through the environment poisoning, with the Cursor agent never surfacing an approval prompt. The developer sees nothing.

The one-click variant presents the user with a seemingly safe command for approval. The environment has already been poisoned by a prior implicit built-in execution. When the user approves the safe command, the poisoned environment executes the attacker’s payload alongside it.

Both paths depend on achieving prompt injection against the Cursor agent. That vector is not exotic. It can come from a malicious MCP server, from specially crafted content in a file the agent reads, from a dependency README, or from any data source that flows into the agent’s context window. AI coding agents are designed to read and act on file content, making prompt injection a broad attack surface by default.

Scope and CVSS

The NVD entry for CVE-2026-22708 rates this as a critical-severity vulnerability. SentinelOne’s vulnerability database confirms the terminal tool allowlist bypass affects all Cursor releases prior to version 2.3. The Cursor team shipped 2.3 as the remediated release.

Oasis Security independently documented a related “Open-Folder Autorun” vulnerability in Cursor that allows silent code execution when a developer opens a folder, adding to the picture of Cursor’s agentic attack surface as a research target this year.

Developer Tooling as the New Attack Surface

This vulnerability class is not Cursor-specific. Any agentic IDE or coding assistant that runs terminal commands on behalf of the developer while ingesting untrusted data from the project environment is structurally exposed to similar attacks. The allowlist mechanism is a reasonable user-interface control; it is not a security boundary against shell-level environment manipulation.

The threat model for developer tooling has shifted. When a coding agent reads files, fetches dependencies, connects to MCP servers, and executes terminal commands autonomously, the traditional perimeter of “the developer reviewed this before it ran” no longer holds. An attacker who can inject instructions into any data source that reaches the agent’s context can influence what runs on the developer’s machine.

This is particularly relevant in supply chain contexts. A compromised dependency that includes a malicious README or build artifact could deliver a prompt injection payload to Cursor users who open the project.

Remediation

Upgrade to Cursor 2.3 immediately. The fix addresses the implicit trust given to shell built-ins in allowlist evaluation. For teams that cannot patch immediately, disabling Auto-Run Mode eliminates the exploitation path at the cost of removing autonomous command execution capability.

Treat Auto-Run Mode with Allowlist as a convenience feature rather than a security boundary in any current version prior to 2.3. Projects that include third-party code, external dependencies, or MCP server connections should be considered higher-risk environments for prompt injection delivery.