A high-severity vulnerability in the AI-powered development tool Cursor allows installed extensions to access sensitive credentials, exposing API keys and session tokens without any user interaction.
According to research by LayerX, the issue stems from how Cursor stores secrets locally, leaving them accessible to any extension regardless of permissions. LayerX assigned the flaw a CVSS score of 8.2 and warned that it could enable full credential compromise across a developer’s environment.
Cursor reportedly acknowledged the notice but stated that defining trust boundaries is the user’s responsibility. The issue remains unresolved as of April 28, 2026.
Weak Storage Design Enables Credential Access
At the core of the flaw is Cursor’s use of a local SQLite database to store authentication data, including API keys and session tokens, according to LayerX. This database is not protected by standard mechanisms such as operating system keychains, which are typically used to safeguard sensitive information.
Because Cursor does not enforce access controls between extensions and local storage, any extension can directly query the database. This applies even to extensions that request no special permissions, making detection difficult.
Researchers demonstrated that a malicious extension could retrieve:
-
API keys tied to third-party services
-
Session tokens used for authentication
-
Cached configuration data
Once extracted, this information can be transmitted externally without triggering alerts or visible activity. The absence of permission prompts or warnings further increases the risk to developers who install extensions from marketplaces or repositories.
Attack Chain and Broader Impact
The attack sequence requires minimal effort, LayerX warned. An attacker can disguise a malicious extension as a harmless tool, such as a theme or productivity add-on. After installation, the extension gains code execution within Cursor and can immediately access local credential storage.
From there, sensitive data is extracted and silently exfiltrated to an external server. No additional user action is required, and the process leaves little trace.
Read more on API security risks: 99% of Organizations Report API-Related Security Issues
The consequences extend beyond Cursor itself. Stolen API keys can be used to access third-party platforms such as OpenAI, Anthropic or Google services. This creates several downstream risks:
-
Unauthorized API usage leading to financial loss
-
Exposure of prompts, outputs and metadata
-
Potential misuse of services for further attacks
Without isolation between extensions and sensitive data, the vulnerability effectively grants any installed extension broad access to a developer’s environment. The findings highlight ongoing challenges in securing extensible development platforms, especially as AI tooling becomes more widely adopted.
