In the race to build faster with AI, security is often left in the rearview mirror. A high-severity access-control vulnerability (CVSS 8.2) has been uncovered in Cursor, the popular AI-powered fork of VS Code.
The flaw, discovered by researchers at LayerX, reveals that Cursor fails to protect sensitive developer credentials from its own extension ecosystem. Any installed extension—whether it’s a simple theme or a complex productivity tool—can secretly harvest your OpenAI, Anthropic, and Google API keys without your knowledge or consent.
Technical Breakdown: The Unprotected SQLite Vault
Unlike most modern, secure applications that store secrets in encrypted system-level keychains (like macOS Keychain or Windows Credential Manager), Cursor stores its “crown jewels” in an unprotected, local file.
The Vulnerable Path:
The credentials live in a standard SQLite database located at: ~/Library/Application Support/Cursor/User/globalStorage/state.vscdb
The Architectural Failure:
Because Cursor lacks an access-control boundary between the editor and its extensions, any rogue add-on running in the editor’s context has the exact same file-system permissions as the user. This means an extension doesn’t need to ask for “permission” to read your secrets—it simply opens the database and reads them in plaintext.
Attack Scenario: The “Trojan Theme”
The exploitation complexity is extremely low, making this a prime target for supply-chain attacks.
- The Lure: An attacker publishes a “Best Dark Mode 2026” theme or a “CSS Formatter” on the marketplace.
- The Install: A developer installs it, receiving no security warnings because Cursor treats all extensions as “trusted.”
- The Silent Theft: The extension runs a background script to query the
state.vscdbfile. - Exfiltration: The stolen API keys and session tokens are bundled and sent to a remote C2 (Command & Control) server.
The Risks: Financial and Data Exposure
The fallout from a compromised developer environment is often much larger than a single leaked password:
- AI Billing Fraud: Attackers can rack up thousands of dollars in automated usage charges using your stolen OpenAI or Anthropic keys.
- Data Leakage: Session tokens provide access to your chat history, private code metadata, and previous prompts.
- Backend Access: If your AI keys are linked to broader cloud permissions (like Google Cloud), the breach can pivot into your entire production infrastructure.
Vendor Status: “Working as Intended?”
LayerX reported this issue to Cursor on February 1, 2026. While the Cursor team acknowledged the report, they have yet to issue a fix as of April 30, 2026.
The vendor’s current stance is that extensions operate within the same “local trust boundary” as the user. They argue that any local application could technically read these files, placing the responsibility on the developer to only install “trusted” tools. Security experts disagree, noting that modern software architecture mandates isolation boundaries to protect users from the exact type of supply-chain attacks now being observed.
How to Protect Your Development Environment
Until Cursor migrates its secrets to an encrypted system-level vault, developers must take manual precautions:
- Audit Your Extensions: Remove any third-party extensions that are not from verified, highly-reputable publishers.
- Use Environment Variables: Avoid storing long-term API keys directly within the Cursor settings menu if possible. Use temporary environment variables that aren’t persisted in the
state.vscdbfile. - Monitor Usage: Regularly check your AI provider dashboards (OpenAI/Anthropic/Google) for unusual usage spikes.
- Rotate Tokens Now: If you have installed any unverified or “niche” extensions recently, rotate your API keys immediately and clear your Cursor session tokens.
Conclusion: The Trust Gap in AI Tooling
The Cursor vulnerability is a stark reminder that “AI-first” doesn’t always mean “Security-first.” As we integrate AI deeper into our workflows, we must demand the same isolation and encryption standards we expect from our operating systems and browsers.
