Cursor CVE-2026-26268 — Sandbox Escape Lets Attackers Achieve RCE via Prompt Injection in AI Coding Agent

What Happened

• Novee Security researchers disclosed CVE-2026-26268 (CVSS 8.1), a critical sandbox escape vulnerability in Cursor, the popular AI-powered code editor built on VS Code.
• The flaw exposes a new attack surface at the intersection of AI coding agents and Git hooks — a chain where prompt injection leads to MCP (Model Context Protocol) manipulation, which then triggers arbitrary code execution.
• Attackers can plant malicious instructions in repository files or commit messages that the AI agent processes. When Cursor's agent reads the poisoned content, it executes commands outside its intended sandbox boundary.
• The vulnerability enables autonomous remote code execution loops — once triggered, the agent can be manipulated to run arbitrary shell commands on the developer's machine without further user interaction.
• BeyondScale's enterprise security guide confirms the attack pattern: prompt injection → MCP manipulation → arbitrary code execution, a chain that also appears in related vulnerabilities like CurXecute, MCPoison, and a CVSS 9.9 sandbox escape.
• Brinztech's threat advisory describes the flaw as enabling "agentic ingress" — attackers gain entry through the agent's trusted position in the development workflow, bypassing traditional perimeter defenses.
• The vulnerability is particularly severe because Cursor runs with full access to the developer's environment: file system, shell, cloud credentials, API keys, and SSH agents.
• This CVE arrives amid a broader wave of AI coding tool vulnerabilities, including Amazon Q Developer flaws that allowed credential theft and code execution via similar prompt injection chains.

Why It Matters

AI coding agents operate in a unique trust boundary: they need broad system access to be useful, but that same access makes them high-value targets. When an attacker can hijack the agent's reasoning via poisoned repository content, they inherit the agent's full privilege set. The MCP manipulation vector is especially concerning because it exploits the protocol designed to let agents safely interact with external tools — turning the safety mechanism into the attack vector. Developers using Cursor in enterprise environments may unknowingly expose production credentials, internal APIs, and proprietary codebases to supply chain attacks.

What To Do

• Update Cursor to the latest patched version immediately. Check the Cursor changelog or security advisories for CVE-2026-26268 mitigation status.
• Audit repositories cloned into Cursor workspaces for suspicious commit messages, README sections, or configuration files containing encoded instructions or unusual Unicode characters.
• Restrict Cursor's file system access to project directories only — avoid granting access to ~/.ssh, ~/.aws, or cloud credential stores.
• Disable Cursor's MCP integrations or restrict them to read-only operations until the vulnerability is fully patched.
• Monitor shell history and process logs for unexpected commands executed during Cursor sessions, especially those involving credential access or network exfiltration.
• Consider running AI coding agents in isolated containers or VMs with no direct access to production secrets.

Sources

• Novee Security — How AI-Powered Attacks Are Outpacing Traditional Security Defenses
• Brinztech — CVE-2026-26268 Agentic Ingress Vulnerability Advisory
• BeyondScale — Cursor AI Enterprise Security Guide 2026