Last updated 1 month ago
Cursor, a developer-focused code editor, experienced a security flaw in its extension system that allowed malicious extensions to steal API keys and session tokens without any user interaction. The vulnerability was discovered and disclosed by researchers at LayerX in May 2026. The exact number of affected users or records has not been disclosed, but the exposure impacts developers using Cursor extensions.
The attack chain exploits a flaw in Cursor's extension architecture, enabling unauthorized access to sensitive credentials stored within the editor environment. Researchers at LayerX identified that the vulnerability permits extensions to silently exfiltrate API keys and session tokens, bypassing typical user consent or interaction requirements. No specific CVE identifier or threat actor attribution has been provided, and the technical details of the exploitation mechanism remain limited.
No post-incident developments, such as regulatory actions, litigation, or remediation milestones, have been reported in the article.
Vulnerability in Cursor extension allows unauthorized access to API keys and session tokens without user interaction
Sign in to join the discussion.
Company
Industry
Location
Disclosed
Records Affected
Attack Vector