Plain-English risk rating: 3 of 5 (Hobby/Pro without Privacy Mode) / 2 of 5 (Pro with Privacy Mode) / 1 of 5 (Business/Enterprise)
Cursor is the most widely-adopted AI code editor in 2026 and has a structurally different risk profile from GitHub Copilot. Two distinguishing facts: (1) Cursor's Privacy Mode genuinely enforces Zero Data Retention with model providers (your code is not stored on Cursor's servers and is not used for training), but Privacy Mode is opt-in on Hobby and Pro tiers — only Business and Enterprise tiers have Privacy Mode forcibly enabled by default. (2) Cursor has had a documented string of high-severity vulnerabilities throughout 2025 and 2026 — CurXecute, MCPoison, NomShub, and CVE-2026-26268 — each of which allowed remote code execution on a developer's machine simply by opening a malicious repository.
For any developer working on client code or proprietary IP, the right configuration is either Pro with Privacy Mode explicitly enabled, or Business at $40/user/month with it enforced.
Recommended for
- Sole proprietor developer: Pro at $20/month with Privacy Mode toggled on immediately after install. Treat the toggle as part of setup, not optional.
- Small team (2-10 developers): Business at $40/user/month. The forced Privacy Mode and SOC 2 documentation are worth the price gap over Pro for any business handling client code.
- Regulated industry: Business or Enterprise with Privacy Mode forced on, SSO via SAML, audit log streaming to a SIEM, and a documented policy restricting Cursor to non-regulated repositories. Scope sensitive workloads to a separate workflow.
- The honest answer for most 1-10 employee businesses with developers: Cursor is genuinely the most capable AI coding tool as of mid-2026. The risk is real but manageable. Pay for Business, enforce Privacy Mode, keep the tool updated, and treat repository cloning as a privileged action.
Data retention default
- Hobby and Pro (Privacy Mode OFF): Code may be retained by Cursor and processed by model providers (OpenAI, Anthropic) under their standard API terms
- Hobby and Pro (Privacy Mode ON): Zero data retention. Code is not stored on Cursor's servers and is not used for training by Cursor or third-party model providers
- Business and Enterprise: Privacy Mode is enforced at the organisation level and cannot be disabled by individual users. Audit logs available.
- Indexing data: File paths are encrypted using client-generated keys; plaintext code is discarded after embeddings are computed. This applies regardless of Privacy Mode setting.
Training opt-out
Hobby and Pro — Privacy Mode is OFF by default. This is the most important setting Cursor users need to change. To enable: Settings → Cursor → Privacy Mode → ON.
Business and Enterprise — Privacy Mode is forcibly enabled by default. Organisation admins enforce it; individual users cannot disable it. This is the structurally correct default for any business use.
Note: Privacy Mode controls whether your code is used for training and stored by Cursor. It does not control the underlying model provider's standard logging — for that, the contractual ZDR arrangements Cursor has with OpenAI and Anthropic apply.
Zero Data Retention (ZDR) availability
- Cursor enforces ZDR with its model providers (OpenAI and Anthropic) when Privacy Mode is enabled
- This is the strongest ZDR posture of any AI coding tool in this database — it propagates the ZDR commitment down the provider chain
- Customer Managed Encryption Keys (CMEK) available for organisations with extreme security requirements (Business/Enterprise tiers)
Plan tiers and pricing (as of early 2026)
| Tier | Price (USD) | Privacy Mode default | Suitable for |
|---|---|---|---|
| Hobby (Free) | $0 | OFF | Personal experimentation only |
| Pro | $20/month | OFF — must enable manually | Personal projects; enable Privacy Mode for any client work |
| Pro+ | $60/month | OFF — must enable manually | Heavy individual use; same caveats |
| Ultra | $200/month | OFF — must enable manually | Power users with high-volume agent usage |
| Business (Teams) | $40/user/month | ON — forcibly enabled | Small teams handling client or proprietary code |
| Enterprise | Custom | ON — forcibly enabled | Larger orgs needing SAML, SCIM, CMEK |
Jurisdiction
- Primary processor: Anysphere Inc. (the company behind Cursor), San Francisco, California, USA
- Cloud infrastructure: Primarily AWS
- Model providers (OpenAI, Anthropic) process inference in the United States by default
- SOC 2 certified; supports SAML SSO and SCIM provisioning for enterprise deployments
Breach history (public incidents)
August 2025 — CurXecute (CVE-2025-54135, CVSS 8.6) and MCPoison (CVE-2025-54136)
Two separate critical vulnerabilities disclosed within days of each other. CurXecute (disclosed August 1, 2025 by Aim Security) allowed remote code execution: when Cursor was configured with an external MCP server, an attacker could return a prompt from the external service that rewrote the victim's Cursor configuration file (.cursor/mcp.json) to inject arbitrary commands. With Auto-Run enabled, Cursor would immediately execute the malicious commands. MCPoison (disclosed August 5, 2025 by Check Point Research) exploited a related issue in MCP integration. Both were responsibly disclosed (July 7 and July 16 respectively) and patched promptly.
Sources: Tenable advisory; Aim Security disclosure; Check Point Research; NSFOCUS CERT
October 2025 — Case-sensitivity sensitive-file-overwrite bypass (CVE-2025-59944)
Lakera researcher Brett Gustafson discovered that Cursor's file-path validation was case-sensitive on case-insensitive filesystems (Windows, macOS), allowing crafted inputs to overwrite or add files controlling project execution — including .cursor/mcp.json. Patched in Cursor 1.7.
Source: Lakera disclosure, October 2025
December 2025 — MCP installation flow RCE (CVE-2025-64106, CVSS 8.8)
Cyata Security Ltd. discovered a vulnerability in Cursor's Model Context Protocol installation flows that allowed attackers to execute arbitrary commands on a developer's machine via crafted deep links during MCP server installation. Patched within two days of discovery.
Source: Silicon Angle; SC Media, December 2025
February 2026 — NomShub vulnerability chain (Straiker disclosure)
Straiker researchers disclosed a vulnerability chain in Cursor combining indirect prompt injection in coding agents with a command sandbox bypass and abuse of Cursor's remote tunnel feature. Mounting an attack required no user interaction beyond opening a malicious repository. Because the exploited tunnel binary is legitimate (signed and notarized), attackers could gain full file system access and command execution on macOS systems, where Cursor runs without sandbox restrictions.
Source: SecurityWeek, April 2026
February-April 2026 — Git hooks RCE (CVE-2026-26268, CVSS 8.1)
Novee Research disclosed that opening a malicious Git repository in Cursor could trigger arbitrary code execution through abuse of standard Git features. The vulnerability does not stem from a bug in Cursor's core code — it arises from how the AI agent interacts with existing Git features when operating on untrusted repositories. Cursor fixed the issue in February 2026; public disclosure was April 28, 2026.
Sources: Hackread; Cybersecurity News; GBHackers (all April 2026)
Pattern observation: Cursor has had at least five separate critical vulnerabilities disclosed between August 2025 and April 2026, each allowing remote code execution from opening an untrusted repository or installing a malicious MCP. The vulnerability surface is structurally larger than Copilot's because Cursor is a full IDE with agent autonomy and MCP integration. Patches have been prompt, but the cadence of disclosure is notable and should be factored into deployment decisions.
What this means in plain English for SMB owners
Three honest takeaways:
- Privacy Mode is not on by default on the tier you're probably using. Hobby and Pro both ship with Privacy Mode OFF. If you're using Cursor Pro for client work and you haven't toggled this on, your code has been processed by model providers under standard API terms (which means logging, not training, but the data has left your machine and entered third-party retention).
- Cursor's vulnerability cadence is the highest of any AI tool in this database. Five critical RCEs in nine months. The mitigations are: stay updated immediately when new versions ship, treat repository cloning as a privileged operation, and consider whether you actually need Auto-Run enabled. For Business and Enterprise tiers, restrict MCP server installation to admin approval only.
- The Business tier at $40/user/month is the inflection point. Below that you're trusting individual developers to remember to toggle Privacy Mode and stay updated. Above that, Privacy Mode is enforced organisationally and you get SOC 2 documentation, SSO, and audit log streaming. For any team writing software professionally, the upgrade is the simpler defensible choice.
Sources
- Cursor security documentation: https://docs.cursor.com/en/account/privacy (verified 2026-05-24)
- Endor Labs: Cursor Security guide (March 2026)
- TechJack Solutions: What Is Cursor IDE? (March 2026)
- Tenable: FAQ on CurXecute and MCPoison (August 2025)
- Lakera: Cursor vulnerability CVE-2025-59944 analysis (October 2025)
- SC Media: Cursor IDE vulnerability MCP installation (December 2025)
- Hackread: Cursor AI IDE vulnerability hidden Git hooks (April 2026)
- Cybersecurity News: Cursor AI Coding Agent Vulnerability (April 2026)
- GBHackers: Cursor AI Coding Agent Vulnerability disclosure (April 2026)
- SecurityWeek: NomShub vulnerability chain (April 2026)
- NSFOCUS CERT: CVE-2025-54135 advisory (August 2025)
Related on AI Leakage
- Compare all 29 AI tools in the risk directory — see how Cursor (Anysphere) stacks up against the rest, tier by tier.
- Take the 5-minute “Am I Leaking?” check — a personalised view of your business’s AI exposure.
- Check a prompt before you paste it — our free Data-Safe Prompt Rewriter.
- Shadow AI vs AI leakage — why even approved tools like Cursor (Anysphere) can leak data.
- Get plain-English AI Leakage Alerts — we email you when an AI tool you use changes its data policy or has an incident.
- Get the free AI Acceptable Use Policy template — a plain-English policy with the tool-by-tool risk guide built in.