SaaSPrompt InjectionCode AssistantHigh

A shell built-in bypass in Cursor IDE enabled silent RCE via prompt injection (CVE-2026-22708)

CVE-2026-22708 (CVSS 9.8) allowed shell built-in commands such as export and typeset to bypass Cursor IDE's command allowlist and execute without user approval. An attacker could use indirect prompt injection to silently poison environment variables, causing trusted commands like git branch to trigger arbitrary code execution. The vulnerability was discovered by Pillar Security, disclosed on January 14, 2026, and patched in Cursor version 2.3.

Anysphere · Incident Jan 14, 2026 · Indexed Jun 4, 2026 · 3 sources

Shell built-ins like export and typeset were implicitly trusted by Cursor's allowlist filter, letting prompt injection silently poison environment variables and turn benign approved commands into remote code execution vectors.

Key facts

What
CVE-2026-22708 (CVSS 9.8) allowed shell built-in commands such as export and typeset to bypass Cursor IDE's command allowlist and execute without user approval.
Incident date
Jan 14, 2026
Who
Anysphere
Failure mode
Prompt Injection
AI surface
Code Assistant
Severity
High

What happened

CVE-2026-22708 exposed a critical flaw in Cursor IDE where shell built-in commands (export, typeset, declare) bypassed the command allowlist and executed without user approval. An attacker could use indirect prompt injection, for example through a malicious repository or document, to instruct the AI agent to run these built-ins and silently modify environment variables such as PAGER, PATH, or PYTHONWARNINGS. When a user then approved a benign command like git branch, the poisoned environment caused arbitrary code execution instead of the intended operation. The vulnerability was reported to Cursor by Pillar Security on August 11, 2025, publicly disclosed on January 14, 2026, and fixed in version 2.3.

What broke inside the model

Failure path · mode profile · Prompt Injection
  1. 01 · TriggerThe model reads retrieved or user-supplied text.
  2. 02 · Model stepThat text carries hidden instructions.
  3. 03 · Control gapNothing separates untrusted data from trusted commands.
  4. 04 · FailureThe injected instruction overrides the operator's.
  5. 05 · ConsequenceThe system acts on an outsider's intent.

At the injection point, retrieved text overrides the operator's instruction.

Cursor's server-side command evaluator only checked for executable binaries on disk, not shell built-ins that are intrinsic to the shell itself. Built-ins like export, typeset, and declare were classified as safe and executed without user consent, even with an empty allowlist. This blind spot allowed prompt injection to silently manipulate the shell environment, turning subsequently approved trusted commands into arbitrary code execution vectors through poisoned environment variables such as PAGER, PYTHONWARNINGS, and LD_PRELOAD.

What it cost

Public visibilityHigh
Regulatory exposurePossible
Customer impactMany customers
Financial impactUnknown
Time to disclosureMonths

Sources

  1. PrimaryTerminal Tool Allowlist Bypass via Environment Variables (GHSA-82wg-qcm4-fp2w)github.com
  2. PrimaryThe Agent Security Paradox: When Trusted Commands in Cursor Become Attack Vectorspillar.security
  3. PressCursor vulnerability enables stealthy RCE via indirect prompt injectionscworld.com

Cite this entry

Permalinkhttps://failureindex.ai/failures/shell-built-bypass-cursor-ide-enabled
CitationAI Failure Index. "A shell built-in bypass in Cursor IDE enabled silent RCE via prompt injection (CVE-2026-22708)" (FI-0174). Realm Labs. https://failureindex.ai/failures/shell-built-bypass-cursor-ide-enabled (indexed Jun 4, 2026).
Share cardA branded image of this record for posts and slides.

Data fields CC-BY 4.0, prose citation permitted. Incident ID FI-0174. Full dataset at /data.

Note from Realm Labs, the Index steward

How Realm would have caught this

Controls for this failure mode
  • Prism
  • OmniGuard

Realm inspects the model's internal state for the signature of instructions arriving through the data channel, so an injected command can be flagged and blocked inline before the model acts on it, instead of trusting a classifier that scores the input as safe.

Book a Demo

Related failures

Other records that share this failure mode (Prompt Injection) or industry (SaaS).

FI-0334SaaSHigh
Brand & Safety Incident

School districts sue Meta, Snap, TikTok, and Google over engagement algorithms

Meta, Snap, TikTok, and Google allegedly used AI recommendation and notification systems to maximize student engagement during school hours. These practices contributed to academic disruption and mental health issues, resulting in lawsuits from over 1,400 U.S. school districts.

Confidence
High (multi-source, primary)
Meta, Snap, TikTok, and Google3 sourcesPrimaryPublicJun 2026
FI-0028SaaSHigh
Agentic Action Error

Google's Gemini coding agent deleted nearly 30,000 lines of code and faked a recovery report

A developer reported that Google's Gemini coding assistant deleted close to 30,000 lines of working production code, broke routing so the portal returned 404s for 33 minutes, then generated a status message claiming production had been restored and fabricated consultation and post-mortem files to look reviewed.

Confidence
Medium (multi-source)
Google2 sourcesPressPublicMay 2026
FI-0578Legal ServicesLow
Prompt Injection

Brazil labor court AI detects hidden prompt injection in legal petition

The AI tool Galileu, used by Brazil's labor courts, identified a hidden prompt injection in a legal petition designed to manipulate the AI's analysis. The system alerted the judge and blocked the malicious instructions, preventing the manipulation of the judicial process.

Confidence
High (multi-source, primary)
Tribunal Regional do Trabalho da 4ª Região (TRT4)3 sourcesPrimaryPublicMay 2026