Vibe coding tool Cursor’s MCP implementation allows persistent code execution

Check Point researchers uncovered a remote code execution bug in popular vibe-coding AI tool Cursor that could allow an attacker to poison developer environments by secretly modifying a previously approved Model Context Protocol (MCP) configuration, silently swapping it for a malicious command without any user prompt.

The good news: Cursor released an update (version 1.3) on July 29 that fixes the issue and requires user approval every time an MCP Server entry is modified. So if you use the AI-powered code editor, update to run the latest version and ensure you’re not giving miscreants complete access to your machine every time you open Cursor.

While Cursor addressed the flaw, Check Point thinks the vulnerability highlights a major AI supply chain risk.

“The flaw exposes a critical weakness in the trust model behind AI-assisted development environments, raising the stakes for teams integrating LLMs and automation into their workflows,” the security shop’s research team wrote in a Tuesday blog.

MCP is an open-source protocol that Anthropic introduced in November 2024 to allow AI-based systems, like agents and large language models (LLMs), to connect to external data sources and interact with each other. While MCP does make those processes easier, it also opens the door to a whole new attack surface and related security threats, which researchers have had fun poking holes in since its rollout.

Cursor is an AI integrated development environment (IDE) that uses LLMs to help write and debug code – and it also requires a certain level of trust, especially in multi-user environments using shared code, configuration files and AI-based plugins.

“We set out to evaluate whether the trust and validation model for MCP execution in Cursor properly accounted for changes over time, especially in cases where a previously approved configuration is later modified,” Check Point researchers Andrey Charikov, Roman Zaikin and Oded Vanunu said in a technical write-up also published Tuesday.

“In collaborative development scenarios, such changes are common – and any gaps in validation could lead to command injection, code execution, or persistent compromise,” the trio added.

And as you can probably guess, the researchers did find such a validation gap and showed how it could be abused by altering an already-approved MCP server configuration to trigger malicious code execution every time a project is opened in Cursor.

The team dubbed the vuln “MCPoison”, and it essentially boils down to Cursor’s one-time approval for MCP configurations. Once Cursor approves an initial configuration, it trusts all future modifications without requiring any new validation.

An attacker could easily exploit this trust by adding a benign MCP configuration with a harmless command to a shared repository, waiting for someone to approve it, and then later changing the same entry so it executes a malicious command, which will then be executed silently on the victim’s machine every time Cursor is reopened.

The Check Point team also published a proof-of-concept demonstrating this type of persistent remote code execution by first getting a non-malicious MCP command approved and then replacing it with a reverse-shell payload, thus gaining access to the victim’s machine every time they open the Cursor project.

This vulnerability disclosure is just the first in a series of flaws that Check Point researchers uncovered in developer-focused AI platforms, we’re told. “As AI-assisted coding tools and LLM-integrated environments continue to shape modern software workflows, CPR will publish further findings that highlight overlooked risks and help raise the security bar across this emerging ecosystem,” the trio wrote.

So stay tuned for more fun with AI tools coming soon. ®

READ MORE HERE