Cursor Cloud Agent Browser Sandbox Escape Vulnerability Allowing Code Execution

Vulnerability

A vulnerability existed in browser-enabled Cursor Cloud Agent sessions prior to the fix on March 31, 2026. This issue allowed attacker-controlled web content to connect from inside the agent container to an unauthenticated local agent endpoint. Exploitation of this vulnerability enabled code execution within the affected Cloud Agent sandbox or session. Additionally, it allowed access to files, repository contents, environment variables, credentials, and GitHub App access tokens available to that session. The vulnerability could be exploited by loading attacker-controlled content in a browser-capable Cloud Agent configuration.

Impact

Successful exploitation allowed code execution within the affected Cloud Agent sandbox or session. An attacker could access files, repository contents, environment variables, and credentials available to that session. Cloud Agent sessions include GitHub App access tokens for repository operations, exposure of which allows read/write access to the associated repository, including code, pull requests, checks, and workflows, subject to the agent's granted permissions. If customers configured additional secrets, such as cloud credentials, CI/CD tokens, or API keys, downstream impact to external systems could be higher depending on those credentials' permissions.

Remediation

The vulnerability has been patched in Cursor Cloud Agents. Affected sessions now require authentication for the relevant agent control channel. No user action is required for Cursor-hosted Cloud Agents.

Added: Jul 15, 2026, 3:37 PM
Updated: Jul 15, 2026, 3:37 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
7.5
exploitability
6.2
remediation
0.0
relevance
9.8
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.