Cursor allowlist bypass: shell built-ins poison the environment for RCE
CVE-2026-22708 lets a prompt injection use trusted shell built-ins like export and typeset to poison environment variables in Cursor, turning an approved git or python command into remote code execution. Patched in 2.3.
What is this?
CVE-2026-22708 is an allowlist bypass in the Cursor AI code editor, disclosed by Pillar Security researcher Dan Lisichkin in The Agent Security Paradox (published January 14, 2026; reported to Cursor on August 11, 2025). NVD records two scores for it: CVSS 3.1 9.8 (Critical) and CVSS 4.0 7.2 (High). The flaw was fixed in Cursor 2.3.
The technique is simple: when the Cursor agent runs in Auto-Run mode with an allowlist, a handful of shell built-ins — export, unset, set, typeset, declare — execute without ever appearing in the allowlist and without an approval prompt. An attacker who controls the agent’s instructions (directly, or indirectly through a malicious file or web page the agent reads) uses those built-ins to silently poison environment variables, then waits for a trusted command to run. The topic resurfaced on June 11, 2026, when OWASP’s State of Agentic AI Security cited it among the prompt-injection CVEs now seen against production coding tools.
How it works
Cursor’s allowlist validates external binaries before they run. Shell built-ins are not separate binaries — they run inside the shell session itself — so they slip past the server-side command evaluator entirely. That is the whole gap: the allowlist checks what is executed, never the environment context it runs in.
Once an attacker can set environment variables for free, they reach for variables that change how ordinary tools behave. A common chain abuses the pager that git and man invoke:
# Runs silently — a built-in, never prompted:
export PAGER="[REDACTED command]"
# Looks benign, often already allowlisted — triggers the payload:
git branchThe user approves git branch, believing it harmless; the poisoned PAGER runs attacker code instead of displaying output. Pillar also demonstrated a fully zero-click variant using typeset and zsh parameter-expansion flags to force evaluation of an embedded string with no approval at all, and a longer chain through PYTHONWARNINGS → BROWSER → PERL5OPT that achieves code execution the next time any Python script runs. Live payloads are omitted here; the mechanism, not the exploit string, is the point.
The deeper lesson Pillar draws is a trust-model shift. Manipulating environment variables for RCE is old (Elttam documented it in 2020), but it used to require local access and manual, multi-step setup. An agent that follows instructions from untrusted content collapses all of those preconditions into one prompt injection, executed remotely with the developer’s privileges.
Why it matters
AI coding assistants are now among the most targeted products for prompt injection, because a successful injection runs on a developer’s machine with access to source code, SSH keys, cloud credentials, and the local network. CVE-2026-22708 shows that the human-in-the-loop approval prompt — the control most teams rely on — can be made to lie: the visible, approved command is benign, while the malicious preparation happened invisibly through built-ins that were never surfaced. Any agentic IDE that gates commands but not execution context shares this class of weakness, not just Cursor.
Defenses
Update Cursor to 2.3 or later, where the server-side parser now requires explicit approval for any command it cannot classify. Beyond patching:
- Do not treat allowlists as a security boundary. Cursor’s own documentation states the allowlist is best-effort and bypasses are possible; never enable a “Run Everything” mode. Keep allowlists short and avoid auto-approving broad tools like
git,python, ornpm. - Treat shell built-ins as security-sensitive. Environment-variable changes (
export,typeset,declare,unset) deserve the same scrutiny as command execution, not an implicit pass. - Prefer isolation over sanitization. Run the agent inside a sandbox or disposable container where code execution and env-var changes cannot reach the real host, SSH keys, or credentials. Pillar argues — and the attack supports — that execution isolation, not allowlists, is the durable control for agents that legitimately need to run code.
- Reset the environment between agent sessions so a poisoned variable cannot persist into a later, trusted action.
- Constrain what the agent reads. Indirect injection arrives through repository files, documents, and web pages; limiting untrusted inputs and reviewing them reduces the trigger surface.
Status
| Item | Detail |
|---|---|
| Identifier | CVE-2026-22708 |
| Affected | Cursor prior to 2.3 (Auto-Run + allowlist) |
| Fixed in | Cursor 2.3 |
| CVSS (NVD) | 9.8 Critical (v3.1) / 7.2 High (v4.0) |
| Reported | August 11, 2025 |
| Public disclosure | January 14, 2026 (Pillar Security) |
| Exploit prerequisite | Prompt injection (direct or indirect) into the agent |
Sources
- → https://www.pillar.security/blog/the-agent-security-paradox-when-trusted-commands-in-cursor-become-attack-vectors
- → https://nvd.nist.gov/vuln/detail/CVE-2026-22708
- → https://github.com/cursor/cursor/security/advisories/GHSA-82wg-qcm4-fp2w
- → https://www.helpnetsecurity.com/2026/06/11/owasp-prompt-injection-ai-security-failures/
- → https://www.sentinelone.com/vulnerability-database/cve-2026-22708/