Vulnerability  ·  2026-07-17

Cursor Cloud Agent — Unauthenticated Local Agent Endpoint Enables Sandbox RCE and Credential Theft via Browser-Enabled Sessions

VulnerabilityHigh impactGlobalCVE-2026-61613
Prior to a 03/31/2026 fix, Cursor's browser-enabled Cloud Agent sessions exposed an unauthenticated local agent endpoint reachable from any web content rendered inside the agent's browser, letting a malicious webpage visited by the agent pivot into code execution inside the agent's own sandboxed session.
This is a cross-boundary attack where untrusted web content an AI coding agent browses can escape into the agent's execution sandbox and steal the session's credentials (including GitHub App tokens), demonstrating a novel agent-execution attack class combining browser-use tooling with unauthenticated local control-plane endpoints.
Attacker-controlled web content loaded inside a browser-enabled Cursor Cloud Agent session could connect from inside the agent container to an unauthenticated local agent endpoint, achieving code execution within the sandbox and exfiltrating files, env vars, credentials, and GitHub App access tokens available to that session.
Cursor Cloud Agent (browser-enabled sessions), fixed 2026-03-31
Fixed by Cursor on 2026-03-31 by requiring authentication on the affected local agent endpoint; ensure Cursor Cloud Agent clients are updated past the fix. See GHSA-whx2-4gvm-m3r3.
GitHub Security Advisory GHSA-whx2-4gvm-m3r3NVD CVE-2026-61613
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →