Cursor allowlist bypass via shell built-in env-var poisoning (CVE-2026-22708)

What happened

Researcher Dan (danusminimus), with Pillar Security, disclosed that Cursor's agentic IDE implicitly trusts shell built-in commands such as export, typeset, and declare, running them without user approval even when the command allowlist is empty (CVE-2026-22708, CVSS 7.2). An attacker using direct or indirect prompt injection can silently poison environment variables, then turn an allowlisted command like git branch or python3 script.py into arbitrary code execution. For example, setting PAGER="open -a Calculator" before an approved git branch runs the payload while the user sees only the benign command they approved. Both zero-click variants (abusing zsh parameter-expansion flags) and one-click variants (poison the environment, then wait for the user to approve a safe-looking command) were demonstrated.

Root cause

Cursor's safe-mode allowlist validated only which command was executed, not the environment it ran in, and it auto-executed environment-modifying shell built-ins without approval. Invisible env-var preparation through trusted built-ins could therefore redirect a later allowlisted command into attacker-controlled code.

Fix / outcome

Patched in Cursor 2.3 (January 2026), which now requires explicit user approval for any command the server-side parser cannot classify and discourages allowlists. Upgrade to 2.3 or later; the researchers argue approval prompts alone remain weaker than full execution isolation.

Sources