CapitalGuard

CapitalGuard Observatory · Tool record

Cursor

Anysphere · coding agent

Cursor combines an AI editor with codebase context, indexing, agent features, model providers, extensions, web search, and optional background or connected tools.

Public-Control Score

84

Substantial public control coverage

Measures publicly documented control coverage as of the review date. It is not a breach rate, penetration test, endorsement, or guarantee of safety.

Scored dimensions

The documented control surface.

This record is reviewed against the same five-dimension rubric used across every scored product.

Read Methodology

Access and scope transparency

18/20

Official material provides extensive operational detail for access and scope transparency.

Data and retention controls

15/20

Official material names concrete controls and meaningful boundaries for data and retention controls.

Connector and permission controls

17/20

Official material provides extensive operational detail for connector and permission controls.

Action, approval, and isolation controls

18/20

Official material provides extensive operational detail for action, approval, and isolation controls.

Audit and administrative evidence

16/20

Official material names concrete controls and meaningful boundaries for audit and administrative evidence.

Documented access points

1

open files and editor context

2

codebase indexing and embeddings

3

agent commands, extensions, web search, and MCP tools

Settings to verify now

1

Privacy Mode and codebase indexing

2

.cursorignore and workspace scope

3

Agent, extension, web, network, and MCP permissions

Linked security signals

Version checks that should not wait.

CVE-2025-59944 · critical

Cursor sensitive-file protection bypass

Cursor 1.6.23 and earlier.

Update to Cursor 1.7 or later and review repository-controlled AI configuration before trust is granted.

CVE-2026-22708 · high

Cursor terminal allowlist bypass

Cursor 2.2 and earlier in the affected configuration.

Update to Cursor 2.3 or later and avoid treating command-name allowlists as a complete execution boundary.

CGO-RESEARCH-2026-05 · informational

AgentSecBench formalizes three enforceable agent-security boundaries

Agentic systems that combine untrusted content, private context, and action-capable tools.

Project trusted provenance, restrict capabilities before generation, and validate outputs before execution.

Primary sources

Inspect the evidence directly.