Cursor AI Code Editor RCE Flaw Allows Malicious Code to Autorun on Machines

A critical vulnerability in the Cursor AI Code Editor exposes developers to stealthy remote code execution (RCE) attacks when opening code repositories, security researchers warn.

The flaw, discovered by Oasis Security, allows attackers to deliver and run harmful code automatically, with no warning prompt, putting vital secrets and cloud access at risk.

Vulnerability Breakdown

Cursor, a popular IDE leveraging AI-assisted coding, ships with Workspace Trust disabled by default. This configuration lets VS Code-style tasks run instantly when a user opens a project folder.

Specifically, if a repository contains a malicious .vscode/tasks.json file with the option runOptions.runOn: “folderOpen”, the IDE executes code as soon as the project is accessed – without seeking user permission or displaying any trust prompt.

This behavior transforms a routine “open folder” action into a silent code execution event.

Attackers can exploit this flaw by crafting repositories that launch tasks capable of stealing credentials, exfiltrating files, or establishing remote access the moment a developer inspects the repository in Cursor.

Oasis Security published a full technical breakdown and working proof of concept to highlight the risk.

Developer machines often hold privileged information: cloud secrets, API keys, and login sessions used for SaaS and CI/CD environments.

When autorun is activated by default, compromise can extend beyond the developer’s laptop to cloud services or automated pipelines.

Attackers exploiting this flaw gain quick access to sensitive environments, including service accounts with broad permissions posing serious risk for engineering teams and infrastructure.

Users of Cursor with default settings are most exposed. In comparison, Visual Studio Code blocks such automatic execution unless Workspace Trust is explicitly given by the user, lowering the risk for VS Code users.

Cursor’s team acknowledges the issue, noting that Workspace Trust can be enabled by users and updated guidance is forthcoming. Oasis Security recommends that teams take these immediate actions:

• Enable Workspace Trust, and require the startup trust prompt.
• Disable automatic tasks by setting task.allowAutomaticTasks: “off”.
• Open unknown repositories in viewer-only editors or disposable containers to limit potential damage.
• Search your projects for suspicious .vscode/tasks.json entries using “runOn”: “folderOpen”.
• Monitor for unexpected shell commands and outbound network activity right after opening new projects.

Security experts urge developers to harden their environments to prevent stealthy supply chain attacks driven by booby-trapped code repositories. 

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.