Cursor has a Terminal Tool Allowlist Bypass via Environment Variables

7.2 / 10

HIGH

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

Description

Cursor is a code editor built for programming with AI. Prior to 2.3, hen the Cursor Agent is running in Auto-Run Mode with Allowlist mode enabled, certain shell built-ins can still be executed without appearing in the allowlist and without requiring user approval.
This allows an attacker via indirect or direct prompt injection to poison the shell environment by setting, modifying, or removing environment variables that influence trusted commands. This vulnerability is fixed in 2.3.

Basic Information

ID CVE-2026-22708

Source GitHub_M

Published Jan 14, 2026 at 16:43

Modified Jan 14, 2026 at 16:59

Affected Product

Vendor cursor

Product cursor

Version < 2.3

Affected Versions cursor cursor < 2.3

CWE Classification

CWE-15 CWE-74 CWE-77 CWE-78 CWE-94 CWE-269

References

github.com /cursor/cursor/security/advisories/GHSA-82wg-qcm4-fp2w

{
    "lastseen": "",
    "description": "Cursor is a code editor built for programming with AI. Prior to 2.3, hen the Cursor Agent is running in Auto-Run Mode with Allowlist mode enabled, certain shell built-ins can still be executed without appearing in the allowlist and without requiring user approval.\nThis allows an attacker via indirect or direct prompt injection to poison the shell environment by setting, modifying, or removing environment variables that influence trusted commands. This vulnerability is fixed in 2.3.",
    "published": "2026-01-14T16:43:54.000Z",
    "modified": "2026-01-14T16:59:53.022Z",
    "type": "cve",
    "title": "Cursor has a Terminal Tool Allowlist Bypass via Environment Variables",
    "source": "GitHub_M",
    "references": "https://github.com/cursor/cursor/security/advisories/GHSA-82wg-qcm4-fp2w",
    "id": "CVE-2026-22708",
    "bulletinFamily": "",
    "cwe": [
        "CWE-15",
        "CWE-74",
        "CWE-77",
        "CWE-78",
        "CWE-94",
        "CWE-269"
    ],
    "cvelist": null,
    "sourceData": "cursor cursor < 2.3",
    "sourceHref": "",
    "cvss": {
        "score": 7.2,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "cursor",
    "version": "< 2.3",
    "vendor": "cursor",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Cursor has a Terminal Tool Allowlist Bypass via Environment Variables_CVE-2026-22708