Cursor AI Code Editor Shell Built-In Allowlist Bypass Enables Zero-Click RCE (2026)

Incident Summary

Pillar Security disclosed CVE-2026-22708 in March 2026, a vulnerability in the Cursor AI code editor where shell built-in commands such as “export” and “typeset” bypassed the terminal command allowlist even when the allowlist was configured to be empty.^[1] The vulnerability enabled both zero-click and one-click remote code execution scenarios through indirect prompt injection: malicious content embedded in project files (code comments, documentation, configuration) caused Cursor’s AI agent to execute shell built-in commands that poisoned the environment variables, so that subsequent trusted commands produced malicious outcomes.^[1] Cursor released version 2.3 with a fix requiring explicit user approval for any commands the server-side parser cannot classify, and updated its security guidelines to discourage reliance on allowlists as a security mechanism.^[2]

Key Facts

• CVE-2026-22708: Shell built-in commands like “export” and “typeset” executed without user approval even with an empty allowlist, enabling environment poisoning for RCE^[1]
• Attack mode: Both zero-click (fully automatic when project opened) and one-click (requires single user interaction) scenarios demonstrated^[1]
• Mechanism: Indirect prompt injection causes the AI agent to run shell built-ins that modify environment variables; subsequent trusted commands then execute attacker-controlled payloads^[1]
• Discovery: Pillar Security, March 2026^[1]
• Fix: Cursor version 2.3 requires explicit user approval for any commands the server-side parser cannot classify^[2]
• Policy change: Cursor’s security guidelines now explicitly discourage reliance on allowlists, acknowledging that trusted commands remain susceptible to environmental manipulation^[1]
• Related: See INC-25-0008 for earlier Cursor MCP vulnerabilities (CurXecute, MCPoison)

Threat Patterns Involved

Primary: Prompt Injection Attack — CVE-2026-22708 demonstrates a particularly subtle prompt injection variant: the injected content does not directly execute a malicious command but instead causes the AI agent to run shell built-ins that poison the execution environment, so that subsequent legitimate commands produce malicious outcomes. This two-stage attack bypasses both the allowlist and human review.

Secondary: Tool Misuse & Privilege Escalation — Cursor’s Agent Mode grants the AI assistant the ability to execute terminal commands, and the vulnerability escalates from project-level file access to system-level command execution through the AI agent’s tool-calling capabilities.

Significance

1. Allowlist security model failure — CVE-2026-22708 demonstrates that even when developers configure the strictest possible allowlist (empty), AI code editors can still be exploited through commands implicitly trusted by the shell, fundamentally challenging the allowlist security model for AI tool execution
2. Environment poisoning as indirect execution — The two-stage attack pattern (poison environment, then trigger trusted command) is harder to detect than direct malicious command execution, as each individual step appears benign in isolation
3. Open-repo-get-pwned attack class — The vulnerability shares the pattern of “clone a repository, get compromised,” where AI-enhanced development tools convert passive project files into active exploitation vectors