CVE-2026-31854
Published: 11 March 2026
Summary
CVE-2026-31854 is a high-severity OS Command Injection (CWE-78) vulnerability in Anysphere Cursor. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 19.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-31854 is an indirect prompt injection vulnerability (CWE-78: OS Command Injection) in Cursor, an AI-powered code editor designed for programming with AI assistance. Versions prior to 2.0 are affected, where a visited website with maliciously crafted instructions can trick the AI model into following them under the guise of "assisting" the user. When combined with a bypass of the command whitelist mechanism, this results in automatic execution of commands without the user's explicit intent. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Remote attackers can exploit this vulnerability by luring users to visit a malicious website, requiring low attack complexity and no privileges, though user interaction is necessary. Successful exploitation enables arbitrary command execution on the victim's system, potentially leading to high-impact confidentiality, integrity, and availability compromises, such as data theft, system modification, or disruption.
The vulnerability is addressed in Cursor version 2.0. Practitioners should ensure deployments are updated to this version or later. Additional details are available in the GitHub security advisory at https://github.com/cursor/cursor/security/advisories/GHSA-hf2x-r83r-qw5q.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11245
Vulnerability details
Cursor is a code editor built for programming with AI. Prior to 2.0 ,if a visited website contains maliciously crafted instructions, the model may attempt to follow them in order to “assist” the user. When combined with a bypass of…
more
the command whitelist mechanism, such indirect prompt injections could result in commands being executed automatically, without the user’s explicit intent, thereby posing a significant security risk. This vulnerability is fixed in 2.0.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Indirect prompt injection + whitelist bypass in AI editor enables arbitrary OS command execution (T1059) after user visits malicious site (T1189/T1204.001); direct RCE mapping but AI-specific vector adds minor uncertainty.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation ensures Cursor is updated to version 2.0, directly addressing the prompt injection and command whitelist bypass vulnerability.
Information input validation sanitizes and checks web-originated prompts to prevent malicious instructions from tricking the AI model into command execution.
Least functionality restricts the AI code editor to essential features, minimizing the attack surface for unauthorized command execution via prompt injection.