Cursor RCE in Open Repos: How Simple Access Leads to Full Compromise

Read full article here: https://www.oasis.security/blog/cursor-security-flaw/?utm_source=nhimg

A new research finding from Oasis Security reveals a serious security flaw in Cursor, the popular AI-powered code editor. The vulnerability allows malicious repositories to automatically execute code the moment they’re opened—without user consent. For developers and enterprises relying on Cursor, this represents a dangerous attack vector with real-world implications for supply chain security, cloud environments, and non-human identities (NHIs).

The Vulnerability: Auto-Execution on Folder Open

Cursor ships with Workspace Trust disabled by default, unlike Visual Studio Code. That means if a project contains a hidden autorun instruction, Cursor will execute it silently.

Here’s how the exploit works:

• A malicious actor commits a .vscode/tasks.json file into a repo.
• That file contains "runOptions.runOn": "folderOpen".
• When a developer opens the repo in Cursor, the IDE immediately runs the task — no warning, no consent.

From that moment, attackers can run arbitrary code in the developer’s session, enabling theft of API keys, modification of source code, or backdoor installation.

Why It Matters: Developer Laptops Are Goldmines

Unlike isolated servers, developer machines often contain:

• Cloud provider keys (AWS, GCP, Azure)
• Personal Access Tokens (PATs) for GitHub, GitLab, or Bitbucket
• API credentials for SaaS integrations
• Active sessions across critical enterprise tools

That makes an RCE on a dev laptop a perfect pivot point into CI/CD pipelines, cloud infrastructure, and even non-human identities (NHIs) that carry powerful permissions. In short, one booby-trapped repo could compromise an entire enterprise.

Who’s at Risk?

• Affected: Cursor users running default settings (Workspace Trust off).
• Lower risk: VS Code users, where Workspace Trust is enabled and autoruns are blocked until explicit trust is granted.

This highlights a core issue: security defaults matter. An insecure default in a widely used tool puts entire organizations at unnecessary risk.

How to Mitigate: Practical Steps

Oasis Security recommends immediate hardening for teams using Cursor:

1. Enable Workspace Trust → Turn on trust prompts before running code.
2. Disable automatic tasks → Set task.allowAutomaticTasks: "off".
3. Open unknown repos in isolation → Use viewer-only editors, disposable containers, or VMs.
4. Hunt & monitor →
   • Scan repos for .vscode/tasks.json with "runOn": "folderOpen".
   • Monitor for unusual shells or outbound traffic after opening projects.

Cursor has acknowledged the issue and says updated guidance will be published soon. But waiting isn’t a strategy, teams should act now.

Bigger Picture: AI Tools Expand the Attack Surface

This vulnerability isn’t just about Cursor. It’s part of a larger trend in AI-powered developer tools: powerful automation features, but insecure defaults. As AI agents and NHIs proliferate, the risk of hidden, supply-chain-style exploits only grows.

At Oasis Security, our mission is to secure the environments where AI agents, developer tools, and NHIs operate — from laptops to pipelines to cloud. By exposing risks like this Cursor flaw, we aim to give teams practical defenses against emerging attack vectors.