Cursor IDE: Persistent Code Execution via MCP Trust Bypass
Check Point, Tuesday, August 5th, 2025
Cursor is one of the fastest-growing AI-powered coding tools used by developers today. It combines local code editing with powerful large language model (LLM) integrations to help teams write, debug, and explore code more efficiently. But with that deep integration comes increased trust in automated workflows - and increased risk when that trust is exploited.
Key Insights:
Critical RCE Flaw in Popular AI-powered IDE
Check Point Research uncovered a persistent remote code execution vulnerability in Cursor, a fast-growing AI-powered coding platform trusted by developers worldwide.
MCP Vulnerability
Cursor allows attackers to gain long-term, silent access to developer environments by altering previously approved Model Context Protocol (MCPs), with no additional user prompt.
Real-World Attack Scenario
In shared repositories, a benign-looking MCP configuration can be weaponized after approval, triggering malicious code execution every time a project is opened in Cursor.
Broader AI Supply Chain Risk
The flaw exposes a critical weakness in the trust model behind AI-assisted development environments, raising the stakes for teams integrating LLMs and automation into their workflows.