LayerX assigned the flaw a CVSS score of 8.2, warning that a single design decision in Cursor could enable full credential compromise across a developer's environment.
LayerX's findings: local storage and no access control
Researchers at LayerX identified a high-severity vulnerability in Cursor, an AI-powered development tool, rooted in how the application stores authentication data. According to LayerX, Cursor keeps API keys, session tokens and related authentication data in a local SQLite database that is not protected by "standard mechanisms such as operating system keychains." Because the database is locally accessible and lacks OS-backed protection, LayerX concluded the secrets reside in a weak storage design.
Extensions have direct access to sensitive credentials
LayerX reported that Cursor does not enforce access controls between installed extensions and the local storage where credentials are kept. The result: any extension— including those that request no special permissions—can directly query the SQLite database and read stored secrets. LayerX demonstrated that a malicious extension could retrieve API keys tied to third-party services, session tokens used for authentication, and cached configuration data, then transmit that information externally "without triggering alerts or visible activity."
Attack chain: disguise, execute, extract
LayerX outlined a straightforward attack sequence. An adversary can disguise a malicious extension as a benign tool— for example, a theme or a productivity add-on—then rely on Cursor's extension model to obtain code execution inside the application after installation. With code execution, the extension can query the unprotected SQLite store, extract credentials, and silently exfiltrate them to an external server. LayerX emphasized that "no additional user action is required" and that the process "leaves little trace."
Downstream risks for OpenAI, Anthropic and Google services
LayerX highlighted consequences that go beyond Cursor itself. Stolen API keys can be used to access third-party platforms, naming OpenAI, Anthropic and Google as examples of services at risk. The report itemized several downstream impacts:
- Unauthorized API usage leading to financial loss
- Exposure of prompts, outputs and metadata
- Potential misuse of services for further attacks
Because the vulnerability removes isolation between extensions and sensitive data, LayerX warned it effectively grants any installed extension broad access to a developer's environment, amplifying the risk to those downstream services and to accounts tied to exposed credentials.
What this means for developers, extension marketplaces, and enterprises
- Developers and security teams: The flaw means that installing extensions in Cursor can create a direct path to credential theft without visible indicators. LayerX's demonstration shows that even extensions requesting no special permissions may be capable of extracting API keys and session tokens.
- Extension marketplaces and repository operators: Because malicious extensions can be disguised as harmless add-ons, marketplaces that host Cursor extensions face a vector for distribution of credential-stealing components unless Cursor enforces stronger isolation or marketplaces add rigorous review controls.
- Enterprises and third-party service operators: Organizations that rely on API keys for services—explicitly cited were OpenAI, Anthropic and Google—face risks of unauthorized usage, data exposure, and service abuse when keys stored in Cursor are compromised.
Cursor's response and unresolved status as of April 28, 2026
Cursor reportedly acknowledged LayerX's notice but told researchers that "defining trust boundaries is the user's responsibility." LayerX assigned the issue a CVSS score of 8.2 and warned of full credential compromise potential. The vulnerability remained unresolved as of April 28, 2026.
LayerX's findings focus attention on a narrow technical choice—storing secrets in an accessible SQLite database without OS keychain protection—and on a broader architectural question: how to enforce trust boundaries between extensible tooling and the sensitive credentials those tools touch. Without changes to storage protections or to extension isolation, the practical effect described by LayerX is stark: any installed extension in Cursor can become a conduit to third-party accounts and developer infrastructure.
Read the original report: https://www.infosecurity-magazine.com/news/cursor-extension-flaw-exposes-api/
