CVE-2026-31854
Published: 11 March 2026
Summary
CVE-2026-31854 is a high-severity OS Command Injection (CWE-78) vulnerability in Anysphere Cursor. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 15.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other AI Platforms; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation ensures Cursor is updated to version 2.0, directly addressing the prompt injection and command whitelist bypass vulnerability.
Information input validation sanitizes and checks web-originated prompts to prevent malicious instructions from tricking the AI model into command execution.
Least functionality restricts the AI code editor to essential features, minimizing the attack surface for unauthorized command execution via prompt injection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Indirect prompt injection + whitelist bypass in AI editor enables arbitrary OS command execution (T1059) after user visits malicious site (T1189/T1204.001); direct RCE mapping but AI-specific vector adds minor uncertainty.
NVD Description
Cursor is a code editor built for programming with AI. Prior to 2.0 ,if a visited website contains maliciously crafted instructions, the model may attempt to follow them in order to “assist” the user. When combined with a bypass of…
more
the command whitelist mechanism, such indirect prompt injections could result in commands being executed automatically, without the user’s explicit intent, thereby posing a significant security risk. This vulnerability is fixed in 2.0.
Deeper analysisAI
CVE-2026-31854 is an indirect prompt injection vulnerability (CWE-78: OS Command Injection) in Cursor, an AI-powered code editor designed for programming with AI assistance. Versions prior to 2.0 are affected, where a visited website with maliciously crafted instructions can trick the AI model into following them under the guise of "assisting" the user. When combined with a bypass of the command whitelist mechanism, this results in automatic execution of commands without the user's explicit intent. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Remote attackers can exploit this vulnerability by luring users to visit a malicious website, requiring low attack complexity and no privileges, though user interaction is necessary. Successful exploitation enables arbitrary command execution on the victim's system, potentially leading to high-impact confidentiality, integrity, and availability compromises, such as data theft, system modification, or disruption.
The vulnerability is addressed in Cursor version 2.0. Practitioners should ensure deployments are updated to this version or later. Additional details are available in the GitHub security advisory at https://github.com/cursor/cursor/security/advisories/GHSA-hf2x-r83r-qw5q.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai