Cursor reads .env files by default

Support Bug Reports
, , ,
1

Where does the bug appear (feature/product)?

Cursor IDE

Describe the Bug

Version 2.5.17 introduces a breaking change to the set of files that are ignored by default.
Contrary to the official documentation on default ignore patterns, Cursor now reads .env files into the agent and tab completion contexts.
Link to the documentation: Ignore files | Cursor Docs

The default ignore list and the .gitignore file no longer affect the files actually ignored, which was the case up until the update to 2.5.17.

I think such changes should at least be highlighted during the update, or properly reflected in the changelog and docs at the very least.

Steps to Reproduce

Open a repo with an .env file and a .gitingore file excluding the .env file.
Ask the agent about contents in your .env file, or manually edit the .env file with tab completions.

Expected Behavior

.env files are not read by default.

Operating System

Windows 10/11

Version Information

Cursor IDE 2.5.17

Does this stop you from using Cursor

No - Cursor works, but with this issue

1 Like
3

Hey, thanks for the report, this is a known issue. We already talked about it in a similar ticket: Cursor IDE Agent Reads .env file!

What’s going on: .env* is in the default ignore list, but that list only applies to indexing. It does not affect Agent tool calls (Read file) or tab completion, so they can still access .env files directly. The docs reflect this, but I agree the wording can be misleading.

Workaround: add .env to .cursorignore.

  • Create a .cursorignore in the project root with patterns .env and .env.*
  • Or set it globally: VS Code Settings > General > Global Cursor Ignore List, add **/.env and **/.env.*

One caveat: .cursorignore does not block the Agent’s terminal and MCP tools, so in theory the agent could still run cat .env via the terminal. More details here: Ignore files | Cursor Docs

About the changelog, I agree changes like this should be called out clearly. I’ll pass the feedback to the team.

Let me know if the workaround helps.

4

just wondering is it fine ai agent reading .env ?

5

Okay, thanks for the clarification!
As I understand it now:

  • There is a default ignore list, that is only used for indexing
  • There is a global ignore list, that is used for everything - similar to local .cursorignore files

What caused agents to read my .env file, was the removal of all default values in the global ignore list with the latest update, per the changelog:

The global ignore list is now empty by default to fix sandboxing issues. Existing ignore patterns still work the same.

I can imagine, many Cursor users just had their agents access their sensitive info due to this Bugfix.

I still think, you should make the differentiation between indexing and agent access more clear in the docs:

The Files ignored by default section currently says:

Cursor automatically ignores files in .gitignore and the default ignore list below. Override with ! prefix in .cursorignore.

The header-hierarchy does not indicate that this behavior is limited to indexing. Only if you unfold the default list below, indexing is mentioned.

7

You’re right. The root cause is clearing the global ignore list, as mentioned in the changelog. The .cursorignore workaround is still the only reliable option for now.

About the docs, I agree. The “Files ignored by default” section is misleading. From the title, it’s not clear this is only about indexing, and you only find out after expanding the list. I’ve passed this feedback to the team.

8

the .cursorignore fix works for file reads but the terminal gap is the concern. if the agent decides to cat .env or printenv there’s nothing stopping it. feels like sandbox + .cursorignore should cover terminal output too

9

This topic was automatically closed 22 days after the last reply. New replies are no longer allowed.