Cursor violates External-File Protection

Where does the bug appear (feature/product)?

Cursor IDE

Describe the Bug

Cursor reads file outside of workspace (parent dir) without any prompt.

Steps to Reproduce

  1. Create folder (Foo).
  • Working with Kiro on “Foo” and it creates “.kiro” folder in it.
  1. Create “ttt” in “Foo” (meaningless; I want to create isolated env from Kiro)
  2. Open it with cursor (cursor opens empty “ttt” folder; title bar shows “ttt”)
  3. Enter plan mode and use same prompt with kiro to create plan
  4. Then, cursor prompts to read parent dir by command with full path (I press skip: Rejected: User chose to skip)
  5. Cursor says “The repo already has a detailed spec in .kiro/specs/...

Note: show me the content you've read. first 20 lines.shows parent dir content.

Expected Behavior

Don’t read parent folder/file with and without prompt in protection mode, even if current (opened) directory doesn’t have a .git, or other folder/file that indicates 'here is workspace".

note: please do not say "you should run git init on that folder.. AI must not read outside of working directory with protection setting. (not only content itself, including scanning directory and file names)

Screenshots / Screen Recordings

Operating System

Windows 10/11

Version Information

Version: 3.6.31 (system setup)
VS Code Extension API: 1.105.1
Commit: 81fcf2931d7687b4ff3f3017858d0c6dee7e2a60
Date: 2026-05-31T17:46:29.630Z
Layout: editor
Build Type: Stable
Release Track: Default
Electron: 39.8.1
Chromium: 142.0.7444.265
Node.js: 22.22.1
V8: 14.2.231.22-electron.0
xterm.js: 6.1.0-beta.220

For AI issues: which model did you use?

Composer 2.5

Does this stop you from using Cursor

Yes - Cursor is unusable

Hey, thanks for the detailed report. This isn’t actually a bug, it’s the scope of the setting, and the name is a bit confusing.

External-File Protection only limits writing outside the workspace. That means creating, editing, or deleting files. You can see this in the toggle description on your screenshot: “Prevent Agent from creating or modifying files outside of the workspace automatically”. It doesn’t block reading files outside the workspace.

So the agent can technically read files from a parent directory, like ../.kiro/specs/..., if the model decides it’s useful for context. This shows up more in Plan mode since the agent intentionally explores a bit wider to gather context for the plan. If the agent tried to write to those parent files, protection would kick in.

A similar case was discussed here: Subfolder workspace still retrieves parent-folder

If you want to fully isolate the workspace from the parent folder, a couple of options:

  • Open the workspace outside the Foo folder tree, so ../ can’t physically reach .kiro.
  • Use .cursorignore to exclude unwanted paths from the context.

A request to also block reading outside the workspace makes sense. It’s worth filing as a separate feature request so the team can consider expanding this setting.

It’s so terirble if I working on C:/Users/_me_/Documents, AI may scan my entire home directory, with just a reason “helpful for finding secrets”?

I want to prevent traversing upwards completely. I don’t want to place .cursorignore everywhere. (or, does cursor stop traversal when .cursorignore found?).

I get the concern. If you open Cursor right in Documents or your home directory, the agent can technically read files higher up the folder tree.

To avoid putting a .cursorignore in every folder, use Global ignore files in user settings. These patterns apply to all projects. This is great for sensitive stuff, for example:

**/.env
**/.env.*
**/credentials.json
**/secrets.json
**/*.key
**/id_rsa

By default, the global list is empty. More info: Ignore File | Cursor Docs

Files that match ignore patterns are excluded from indexing and AI features, so the agent shouldn’t pull them in. But fully blocking reads from parent directories is still being discussed as unresolved behavior. So treat ignore as strong filtering, not a hard boundary.

If you need full isolation from the parent folder, the most reliable option is to open your workspace outside the Foo tree, so ../ can’t physically reach sibling folders.

Right now there isn’t a setting that means “block any reads above the workspace entirely.” It’s a reasonable request. I’d suggest posting it as a separate feature request thread so the team can track it better. The current thread is marked as a bug report, but this is really a request for new behavior, so a separate post will get better follow-up.