Two-Click Cursor AI Flaw Could Let Attackers Take Over Developer Environments
What happened
Researchers from Adversa AI have disclosed two vulnerabilities in Cursor AI that could allow attackers to install a malicious Model Context Protocol (MCP) server on a developer’s machine with as little as two clicks. The attack relies on disguising a malicious installation link as what appears to be a legitimate pull request, increasing the likelihood that developers will interact with it.
According to Adversa AI lead researcher Rony Utevsky, attackers can use double URL encoding to hide an MCP installation command inside a standard-looking development workflow. Once the developer clicks the link and approves the installation prompt, the malicious MCP server runs with the same privileges as the user, enabling arbitrary command execution.
MCP servers are designed to connect AI coding assistants with external tools such as APIs and local file systems. While this functionality improves developer productivity, it also creates a powerful attack vector if abused. A compromised MCP server could potentially steal source code, access sensitive credentials, or install additional malware.
Adversa AI reported the vulnerabilities to Cursor AI. A Cursor representative acknowledged the issue, stating that the company has reopened its investigation after an earlier report was mistakenly closed by a third-party security vendor.
Who is affected
The issue primarily affects organizations whose developers use Cursor AI for software development. Cursor reports that it is used by more than 50,000 enterprises, including a significant number of Fortune 500 companies.
Development teams that regularly install MCP servers or rely on AI-assisted coding workflows may face increased risk, particularly if developers are encouraged to install new tools through shared links or collaboration platforms.
Why CISOs should care
AI-powered development environments are becoming part of enterprise software delivery, making them an attractive target for attackers. Rather than compromising source code directly, threat actors can target the development tools themselves to gain privileged access.
Utevsky noted that this type of vulnerability resembles traditional argument injection attacks that have existed for years, but AI development platforms are repeating similar mistakes while rapidly introducing new capabilities.
For security leaders, the incident highlights the need to extend application security beyond source code repositories to include AI coding assistants, plugins, and supporting infrastructure.
3 practical actions
Review and allowlist approved MCP servers, preventing developers from installing unapproved integrations.
Monitor AI development environments for unusual MCP installations, configuration changes, and command execution activity.
Educate developers to verify installation prompts carefully and avoid blindly trusting links shared through pull requests, chat platforms, or collaboration tools.


