CVE-2026-22708
Published: 14 January 2026
Summary
CVE-2026-22708 is a critical-severity External Control of System or Configuration Setting (CWE-15) vulnerability in Anysphere Cursor. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 20.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other AI Platforms; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations to prevent unauthorized execution of shell built-ins that bypass the allowlist in Cursor Agent's Auto-Run Mode.
Limits system to essential capabilities by prohibiting unnecessary shell built-ins and restricting configurations that enable environment poisoning.
Validates inputs to the Cursor Agent to neutralize prompt injection attacks that set or modify environment variables influencing trusted commands.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct bypass of allowlist in Auto-Run shell mode enables Unix shell built-in execution and environment variable manipulation via prompt injection, leading to command injection and arbitrary code execution.
NVD Description
Cursor is a code editor built for programming with AI. Prior to 2.3, hen the Cursor Agent is running in Auto-Run Mode with Allowlist mode enabled, certain shell built-ins can still be executed without appearing in the allowlist and without…
more
requiring user approval. This allows an attacker via indirect or direct prompt injection to poison the shell environment by setting, modifying, or removing environment variables that influence trusted commands. This vulnerability is fixed in 2.3.
Deeper analysisAI
CVE-2026-22708 affects Cursor, an AI-powered code editor for programming, in versions prior to 2.3. The vulnerability resides in the Cursor Agent when operating in Auto-Run Mode with Allowlist mode enabled. In this configuration, certain shell built-ins can be executed without inclusion in the allowlist or requiring user approval, enabling attackers to leverage indirect or direct prompt injection to poison the shell environment. This involves setting, modifying, or removing environment variables that influence the behavior of trusted commands. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWEs including CWE-15 (External Control of System or Configuration Setting), CWE-74 (Improper Neutralization of Special Elements), CWE-77/78 (Command Injection variants), CWE-94 (Code Injection), and CWE-269 (Privilege Context Switching).
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By crafting malicious prompts, they can manipulate environment variables, potentially altering the execution of trusted shell commands and leading to arbitrary code execution, data exfiltration, or system compromise within the poisoned environment.
The vulnerability is fully addressed in Cursor version 2.3, as detailed in the official security advisory at https://github.com/cursor/cursor/security/advisories/GHSA-82wg-qcm4-fp2w. Security practitioners should ensure users upgrade to 2.3 or later and review configurations for Auto-Run Mode and Allowlist usage, particularly in AI-assisted development workflows prone to prompt injection risks.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, prompt injection