CVE-2026-21523: a TOCTOU race in Cursor IDE let prompt injection alter files post-validation
CVE-2026-21523 is a TOCTOU race condition (CWE-367) with a CVSS 3.1 base score of 8.0 that enables remote code execution via indirect prompt injection, documented by Vectra AI as part of a Cursor IDE triple CVE chain alongside CVE-2026-22708 and CVE-2026-26268. The official NVD and Microsoft MSRC records attribute the vulnerability to GitHub Copilot and Visual Studio Code, which Cursor inherits as a VS Code fork. The vulnerability allows an authorized attacker to exploit a temporal gap between security validation and execution to modify files and achieve code execution over a network.
A TOCTOU race condition let prompt injection slip malicious file changes past the security check before the editor acted on the now-modified content.
Key facts
- What
- CVE-2026-21523 is a TOCTOU race condition (CWE-367) with a CVSS 3.1 base score of 8.0 that enables remote code execution via indirect prompt injection, documented by Vectra AI as part of a Cursor IDE triple CVE chain alongside CVE-2026-22708 and CVE-2026-26268.
- Incident date
- Jan 1, 2026
- Who
- Cursor
- Failure mode
- Prompt Injection
- AI surface
- Code Assistant
- Severity
- High
What happened
CVE-2026-21523 was identified as part of a triple CVE chain affecting the Cursor AI code editor, grouped alongside CVE-2026-22708 and CVE-2026-26268. The TOCTOU race condition allowed an attacker to exploit indirect prompt injection to alter files between the IDE's security validation and the execution of file operations, achieving remote code execution over a network. The vulnerability was cataloged in NVD with CVSS 3.1 score 8.0 under CWE-367, and Microsoft's MSRC published an advisory as it affects the Visual Studio Code base that Cursor inherits. Vectra AI documented this CVE as part of the Cursor IDE triple chain where prompt injection bridges all three vulnerabilities into a composite attack.
What broke inside the model
- 01 · TriggerThe model reads retrieved or user-supplied text.
- 02 · Model stepThat text carries hidden instructions.
- 03 · Control gapNothing separates untrusted data from trusted commands.
- 04 · FailureThe injected instruction overrides the operator's.
- 05 · ConsequenceThe system acts on an outsider's intent.
At the injection point, retrieved text overrides the operator's instruction.
The TOCTOU race condition (CWE-367) created a temporal window between the IDE's security validation of file contents at the time-of-check and the execution of operations at the time-of-use. An attacker leveraging indirect prompt injection could modify or swap files during this gap, bypassing the security validation that had already approved the original content. The editor's protection logic assumed the checked state remained valid through execution, an assumption the race condition invalidated.
What it cost
Sources
- PrimaryCVE-2026-21523 Detailnvd.nist.gov
- PressPrompt injection: types, real-world CVEs, and enterprise defensesvectra.ai
- PrimaryCVE-2026-21523 - GitHub Copilot and Visual Studio Code Remote Code Execution Vulnerabilitymsrc.microsoft.com
Cite this entry
https://failureindex.ai/failures/cve-2026-21523-toctou-race-cursorAI Failure Index. "CVE-2026-21523: a TOCTOU race in Cursor IDE let prompt injection alter files post-validation" (FI-0176). Realm Labs. https://failureindex.ai/failures/cve-2026-21523-toctou-race-cursor (indexed Jun 4, 2026).Data fields CC-BY 4.0, prose citation permitted. Incident ID FI-0176. Full dataset at /data.
Note from Realm Labs, the Index steward
How Realm would have caught this
- Prism
- OmniGuard
Realm inspects the model's internal state for the signature of instructions arriving through the data channel, so an injected command can be flagged and blocked inline before the model acts on it, instead of trusting a classifier that scores the input as safe.