Auth bypass in Cursor

CVE-2026-61613

Cursor is a code editor built for programming with AI. Prior to the Cloud Agent fix on 03/31/2026, browser-enabled Cursor Cloud Agent sessions allowed attacker-controlled web content to connect from inside the agent container to an unauthe…

Vulnerability class: Broken Authentication

Affected products

  • Cursor — versions < 03/31/2026

Weakness classification (CWE)

References