CVE-2026-22708: Cursor AI Allowlist Bypass via Shell Environment Poisoning Turned Trusted Commands Like 'git' into Arbitrary Code Execution

Timeline

1. 2026-01-14

   CVE-2026-22708 published. Vulnerability disclosed by Pillar Security research team. CVSS 7.2. CWE-78 (OS Command Injection via prompt injection attack vector).

2. 2026-01-23

   SentinelOne vulnerability database entry published with technical details of the shell environment poisoning vector.

3. 2026-01-28

   DEV Community writeup by cverports publishes full exploit walkthrough: export PATH and alias bypass turns any allowlisted binary into an RCE vector. Proof-of-concept confirmed.

4. 2026-02-03

   CVEfeed.io entry confirmed. Vulnerability fixed in Cursor version 2.3.

5. 2026-06-11

   Vulnerability resurfaces in OWASP prompt injection roundup covering agentic IDE attack patterns from the first half of 2026.

Technical breakdown

• Cursor Auto-Run mode uses a command allowlist to restrict which binaries the agent can execute in the terminal. The allowlist checked external binary names but did not inspect or restrict shell built-in execution (export, alias, source, eval).
• Shell built-ins run in the current shell process context and can modify PATH, define aliases, and set environment variables — all of which affect how subsequent external binary names resolve.
• A malicious export PATH=/tmp/evil:$PATH followed by an allowlisted git invocation causes the shell to resolve git to /tmp/evil/git (the attacker payload) without the allowlist ever seeing a non-allowlisted binary name.
• The attack vector is indirect prompt injection: hostile instructions embedded in a repo README, documentation file, or tool API response read by the Cursor agent during a normal task.
• The allowlist security model collapsed because it was enforced inside the agent's own shell context — the very environment the attacker could manipulate.