Cursor AI Extension Token Access Flaw Could Lead to Full Credential Compromise

Security researchers at LayerX have disclosed a high-severity vulnerability in the AI-powered development environment Cursor, enabling full credential compromise through malicious extensions.

Tracked informally as “CursorJacking,” the flaw carries a CVSS score of 8.2 and allows any installed extension to silently extract API keys and session tokens without user interaction or elevated permissions.

The issue stems from insecure credential storage and a lack of isolation between extensions and sensitive application data, placing developers and their associated services at significant risk.

Insecure Credential Storage Mechanism

Cursor diverges from standard security practices by storing authentication secrets in a local, unencrypted SQLite database rather than leveraging secure storage mechanisms such as macOS Keychain or Windows Credential Manager.

This database resides at a predictable file path on the host system, making it easily accessible.

More critically, Cursor fails to enforce access control boundaries between its extension ecosystem and local storage.

As a result, any extension, regardless of its declared permissions, can directly query the database and retrieve plaintext credentials.

This architectural oversight effectively nullifies the concept of permission-based security within the extension model.

The exploitation process is straightforward and requires minimal attacker effort, making it highly scalable and dangerous in real-world scenarios.

• An attacker publishes a benign-looking extension, such as a theme or productivity tool.
• A developer installs the extension without any security warnings or permission prompts.
• The extension programmatically accesses the local SQLite database.
• Sensitive credentials, including API keys and session tokens, are extracted in plaintext.
• The stolen data is exfiltrated to an attacker-controlled remote server.

Because the attack operates silently and leverages legitimate extension functionality, detection is extremely difficult for end users.

The implications of CursorJacking extend far beyond local credential exposure. Given the high-privilege nature of developer API keys, attackers can rapidly escalate access and cause widespread damage.

• Financial abuse through unauthorized usage of OpenAI, Anthropic, or other AI service APIs.
• Exposure of sensitive code, prompts, and proprietary data processed within the development environment.
• Unauthorized access to integrated services, including cloud infrastructure and backend systems.
• Full user impersonation, enabling lateral movement and downstream attacks across connected platforms.

This combination of stealth, ease of exploitation, and high-impact outcomes makes the vulnerability particularly critical for organizations relying on AI-assisted development workflows.

LayerX responsibly disclosed the vulnerability to Cursor on February 1, 2026. The vendor responded on February 5, stating that extensions operate within the same trust boundary as local applications and emphasized that users are responsible for vetting extensions before installation.

As of April 2026, no patch or architectural mitigation has been released. This leaves all users of the platform exposed to potential credential theft.

Until Cursor implements proper isolation controls and secure credential storage, developers should take immediate precautions:

• Avoid installing untrusted or unnecessary extensions.
• Rotate API keys frequently and monitor usage for anomalies.
• Use scoped and rate-limited API keys where possible.
• Store sensitive credentials externally and avoid relying on local application storage.
• Implement network monitoring to detect suspicious outbound connections from development environments.

Security experts strongly recommend that Cursor redesign its extension architecture to enforce strict sandboxing and migrate credential handling to system-level secure storage.

Without these changes, the platform remains vulnerable to trivial yet highly damaging attacks.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Cursor AI Extension Token Access Flaw Could Lead to Full Credential Compromise appeared first on Cyber Security News.