A vulnerability in the Cursor AI Code Editor allows for remote code execution (RCE) by swapping in a malicious MCP file after it has been approved.

Cybersecurity researchers have identified a significant security vulnerability in the AI-powered code editor Cursor, which could lead to remote code execution. This flaw, designated as CVE-2025-54136 with a CVSS score of 7.2, has been dubbed MCPoison by Check Point Research. The vulnerability exploits a peculiarity in how Cursor manages modifications to Model Context Protocol (MCP) server configurations. According to Cursor’s advisory, an attacker can achieve remote and persistent code execution by altering a trusted MCP configuration file within a shared GitHub repository or by editing it locally on the victim’s machine. Once a collaborator accepts a seemingly benign MCP, the attacker can covertly replace it with a malicious command, such as launching calc.exe, without triggering any alerts.

The vulnerability arises from the fact that once an MCP configuration is approved, it remains trusted indefinitely, even if subsequently modified. This flaw not only exposes organisations to supply chain risks but also facilitates potential data and intellectual property theft without detection. Following responsible disclosure on 16 July 2025, Cursor addressed the issue in version 1.3, which now requires user approval for any modifications to the MCP configuration file. Check Point highlighted that this flaw underscores a critical weakness in the trust model of AI-assisted development environments, particularly as teams increasingly integrate large language models and automation into their workflows. The discovery coincides with recent findings from Aim Labs, Backslash Security, and HiddenLayer, which revealed additional vulnerabilities in Cursor that could also allow for remote code execution.