Cursor Vulnerability Allows API Key Theft via Rogue Extensions
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A high-severity vulnerability in the Cursor AI development tool enables any installed extension to access sensitive API keys and session tokens without user interaction. Discovered by LayerX, this flaw has a CVSS score of 8.2 and stems from Cursor's use of an unprotected local SQLite database for storing credentials. As a result, any extension, regardless of permissions, can directly query this database, leading to potential credential theft and unauthorized access to third-party services. LayerX reported the issue to Cursor, which acknowledged it but stated that users must define their own trust boundaries. As of April 28, 2026, the vulnerability remains unpatched, posing significant risks to developers using Cursor. Malicious extensions can be disguised as harmless tools, making detection challenging. The implications extend beyond Cursor, potentially affecting services like OpenAI and Google.
Key Points: • Cursor's vulnerability allows any extension to access sensitive API keys and session tokens. • The flaw has a CVSS score of 8.2 and remains unpatched as of April 28, 2026. • Malicious extensions can extract credentials without user interaction, increasing the risk of data theft.