A high-severity vulnerability in the AI-powered development tool Cursor allows installed extensions to access sensitive credentials, exposing API keys and session tokens without any user interaction. According to LayerX, the issue stems from how Cursor stores secrets locally, leaving them accessible to any extension regardless of permissions, with LayerX assigning the flaw a CVSS score of 8.2.
Cursor reportedly acknowledged the notice but stated that defining trust boundaries is the user’s responsibility, and the issue remains unresolved as of 28 April 2026. At the core of the flaw is Cursor’s use of a local SQLite database to store authentication data, including API keys and session tokens, which is not protected by standard mechanisms such as operating system keychains.
Because Cursor does not enforce access controls between extensions and local storage, any extension can directly query the database, even if it requests no special permissions. Researchers demonstrated that a malicious extension could retrieve API keys tied to third-party services, session tokens, and cached configuration data, exfiltrating them to an external server without triggering alerts.