Back to overview

CVE-2026-61613

HIGH
7.7
CVSS 4.0
Description
Cursor is a code editor built for programming with AI. Prior to the Cloud Agent fix on 03/31/2026, browser-enabled Cursor Cloud Agent sessions allowed attacker-controlled web content to connect from inside the agent container to an unauthenticated local agent endpoint, enabling code execution within the affected Cloud Agent sandbox or session and access to files, repository contents, environment variables, credentials, and GitHub App access tokens available to that session. This issue was fixed on 03/31/2026 by requiring authentication for the relevant agent endpoint.

Metadata

CVE ID
CVE-2026-61613
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-07-10 17:36 UTC
Published
2026-07-15 14:18 UTC
Last updated
2026-07-15 14:18 UTC
Primary CWE
CWE-306
CWE-306: Missing Authentication for Critical Function
Vendor / Product
cursor / cursor
Sources
cve.org  ·  NVD

Severity & Metrics

7.7 HIGH CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
Affected products (1)
VendorProductPlatformVersions
cursor cursor < 03/31/2026
Weakness (CWE)
CWESourceDescription
CWE-306 cna CWE-306: Missing Authentication for Critical Function
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.7 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
References (1)
Back to overview