A new report out today from artificial intelligence security startup Cyata Security Ltd. details a critical remote code execution vulnerability in Cursor Inc.’s integrated development environment that exposed risks tied to trusted installation workflows and agentic AI tooling.
The vulnerability, tracked as CVE-2025-64106 and rated 8.8 in severity, affected Cursor’s Model Context Protocol installation flows and could have allowed attackers to execute arbitrary commands on a developer’s machine. Upon discovery, Cyata reported the vulnerability to Cursor and to the credit of both companies, it was patched within two days of discovery.
The issue arose due to Cursor using the growingly popular Model Context Protocol to connect AI assistants inside the IDE to external tools, databases and application programming interfaces, enabling more autonomous and agent-driven development workflows. The MCP connectivity introduced new attack surfaces, particularly where AI systems are granted system-level permissions during setup and configuration.
Cyata researchers discovered that Cursor’s MCP installation process could be manipulated to present users with a trusted installation dialog presented as Playwright, a popular automation tool, while executing malicious commands in the background. The user interface-based deception could have allowed attackers to trick users into inadvertently running harmful code under the guise of legitimate software.
The vulnerability stemmed from insufficient validation and trust enforcement within Cursor’s MCP deep-link handling. The process is designed to execute system-level commands when connecting external tools, but certain inputs could alter how those actions were represented to users, effectively masking unsafe behavior behind a legitimate-looking interface.
The issue did not rely on traditional exploit techniques such as memory corruption but instead abused logic and trust assumptions within the installation workflow itself. By leveraging a trusted execution path and recognizable tooling, attackers could reduce user suspicion and increase the likelihood of successful execution, highlighting how UI trust and workflow design have become critical security boundaries in agentic AI systems.
“As AI IDEs start wiring agents into real tools and real permissions, the installation flow becomes a security boundary, not a convenience,” said Shahar Tal, co-founder and chief executive officer at Cyata.”This issue shows how attackers can abuse trusted setup experiences to get code executed on a developer’s machine. Securing agentic workflows means treating UI trust, deep links and tool installation as part of your threat model.”
Cyata worked closely with Cursor to ensure a swift patch and continues to monitor emerging risks associated with agentic AI integration.
The venture capital-backed startup raised $8.5 million, its first disclosed funding round, in July. Investors in the company include TLV Partners Ltd. and a number of individual investors.
Image: News/Ideogram
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About News Media
Founded by tech visionaries John Furrier and Dave Vellante, News Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
