A high-severity vulnerability in the AI-powered coding tool Cursor has raised serious concerns across the developer community, after researchers revealed it could allow attackers to steal sensitive credentials through malicious extensions.
The flaw, identified by LayerX and informally dubbed “CursorJacking,” carries a CVSS score of 8.2. It enables any installed extension to access and extract API keys and session tokens without requiring user interaction or elevated permissions—making the attack both silent and highly effective.
At the heart of the issue is Cursor’s insecure approach to credential storage. Instead of using secure system-level solutions such as encrypted keychains, the platform stores authentication secrets in a local SQLite database in plaintext. This database is located in a predictable path on the system, making it easily accessible to any application or extension.
More critically, Cursor does not enforce proper isolation between extensions and sensitive local data. This means that even extensions with minimal declared permissions can directly query the database and retrieve confidential information. The lack of access control effectively breaks the platform’s permission model, allowing attackers to bypass expected security boundaries.
The attack method is straightforward. A malicious actor can publish what appears to be a harmless extension, such as a theme or productivity add-on. Once installed, the extension quietly accesses the local database, extracts credentials, and transmits them to a remote server—all without alerting the user. Because the behavior relies on legitimate extension functionality, it is extremely difficult to detect.
The consequences of such an exploit can be severe. Stolen API keys can be used to abuse services from providers like OpenAI or Anthropic, leading to financial losses. Additionally, attackers could gain access to sensitive code, proprietary data, and connected systems such as cloud infrastructure, potentially enabling broader compromise and lateral movement across enterprise environments.
LayerX disclosed the vulnerability to Cursor in early February 2026. In response, the vendor stated that extensions operate within the same trust boundary as local applications and emphasized that users are responsible for evaluating the safety of extensions before installing them. However, as of April 2026, no patch or structural fix has been released.
Security experts warn that until Cursor redesigns its architecture to enforce strict isolation and adopts secure credential storage practices, users remain exposed to significant risk. Developers are being urged to avoid untrusted extensions, rotate API keys regularly, and monitor for unusual activity within their environments.
The incident highlights a broader challenge in the rapidly evolving AI development ecosystem—balancing innovation with robust security controls. Without stronger safeguards, tools designed to accelerate productivity may inadvertently open the door to critical vulnerabilities.
Recommended Cyber Technology News:
- Bell Integration Adopts NiCE CXone to Transform AI-Driven Customer Operations
- AuxoAI Partners with Google Cloud to Accelerate Enterprise AI Transformation
- Online Services Company Hit by Cyberattack, Services Disrupted
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
