.env file question

Update: It has come to my attention that at least the tab model is supposed to be executed locally. So this might takes the heat of the issue a bit if it does more than the tab position. Still this thread is relevant.
2nd Update: There is now a video at the end of this post.

I now have to stop using cursor because I might have leaked internal company (luckily only non-critical development) secrets to external servers, both Cursor and Claude.

This was not the case in previous versions. When I started using cursor a few weeks ago it was the first thing I checked.

Very simple: I noticed that cursor autocompletes my secrets and the AI tooling is available when editing my .env file. This can happen in a completely empty folder/project.

Partial content of my .cursorignore (same in .gitignore):

*.env
*.env.*
*.env*
.env
.env.*
.env*

Reproduction Steps

  • Open cursor in a new folder
  • create .env file
  • type “hello”
  • observe autocomplete like hello = world

Alternatively add a secret to the .env, add another file and trick the autocomplete into exposing it
my_user_secret_that_you_should_notP92i1291292=9823723482348723482734 (random parts added to avoid any accidental overlap with pretrained LLM data)

In this example it could maybe be explained if you are keeping track of my clipboard history (Which I would also find deeply concerning). In this example I even made sure to have the clipboard contain something different.

I was also able to open a different file, insert the beginning of a secret and have it autocomplete the secret for me.

Steps I tried

According to the documentation this should already be the ignored automatically. Additionally, I have .env in my .gitignore and .cursorignore file. I had cursor generate the initial .cursorignore file for me to avoid any mistypes etc!
So I had 3 layers of protection.

I also deleted the indexes my existing project and reindexed.

:police_car_light: This is absolutely unacceptable. How am I supposed to ever trust Cursor again? This needs systematic guard rails against stuff like that otherwise no enterprise would ever allow usage of cursor.

I will have to switch back to VSCode and am very sad about it. I just recommended Cursor for my teams this week and have now warned everybody (and broke their local setup because of key rotation).

cursor --version:

0.46.8
be4f0962469499f009005e66867c8402202ff0b0
arm64

on MacBook M3 Pro - MacOS Sequoia 15.3.1

List of extensions: ( cursor --list-extensions)

antfu.goto-alias
apollographql.vscode-apollo
aswinkumar863.smarty-template-support
bibhasdn.unique-lines
bmewburn.vscode-intelephense-client
bradlc.vscode-tailwindcss
dbaeumer.vscode-eslint
dejmedus.tailwind-sorter
devsense.composer-php-vscode
devsense.intelli-php-vscode
devsense.phptools-vscode
devsense.profiler-php-vscode
eamodio.gitlens
editorconfig.editorconfig
elixir-tools.elixir-tools
esbenp.prettier-vscode
george-alisson.html-preview-vscode
hossaini.bootstrap-intellisense
inferrinizzard.prettier-sql-vscode
jakebecker.elixir-ls
jasonnutter.search-node-modules
jock.svg
mechatroner.rainbow-csv
mhutchie.git-graph
mrmlnc.vscode-duplicate
ms-azuretools.vscode-docker
ms-kubernetes-tools.vscode-kubernetes-tools
ms-vscode-remote.remote-containers
ms-vscode.live-server
ms-vscode.vscode-speech
noku.rails-run-spec-vscode
pantajoe.vscode-elixir-credo
paulo20223.nuxt-goto-alias
phoenixframework.phoenix
redhat.vscode-xml
redhat.vscode-yaml
rubocop.vscode-rubocop
sdras.vue-vscode-snippets
shd101wyy.markdown-preview-enhanced
shopify.ruby-lsp
simonsiefke.svg-preview
stivo.tailwind-fold
vue.volar
wayou.vscode-todo-highlight
yoavbls.pretty-ts-errors

UPDATE: Reproduction Video

I recorded a full reproduction video. I left in an error where I still had the user rules from the other thread. I removed it in the video and just restarted an agent session but copy and pasted the prompt (only containing the name of the secret!).
There is no trickery here. I left it in to show that this in unedited (except for removing my mail).

  • I only typed
  • did not select any text
  • did not copy paste anything before showing the error (except in the error correct above, but never the value)
  • created the simplest .cursorignore possible (does not matter, should have been ignored without it anyways)
  • did not accept any tab completion

You can see:

  • autocompletion suggestions with the .env file :police_car_light:
  • I only switched back to the .env file to look at what exactly I wrote in order to write it again in somefile.rb (the secret is only highlighted because the text cursor is on it leading to a background color)
  • The agent claims to see the secret, while avoiding to print it. As shown in the other thread, it is however definitely send over the network.
  • .env file is automatically added to the context :police_car_light:
  • (.env file content is send over network :police_car_light: → shown in the other thread because the online token counter gets the file in plain text)

(link only valid for a week)

I tried the latest update as well and updated before the video. My version details:

Version: 0.46.9
VSCode Version: 1.96.2
Commit: 3395357a4ee2975d5d03595e7607ee84e3db0f20
Date: 2025-03-05T08:14:11.312Z (1 day ago)
Electron: 32.2.6
Chromium: 128.0.6613.186
Node.js: 20.18.1
V8: 12.8.374.38-electron.0
OS: Darwin arm64 24.3.0
6 Likes

I colleague was able to reproduce this as well

The temperatur is now lower, I was informed that tab autocompletes are local only:

Maybe even the local model should ignore this because my understanding of “ignore the file” is that it is fully ignored. I also do not want to have a screenshare session that autocompletes my passwords or have the file end up at all in any kind of context, even when having the file open and opening a chat or whatever.

Still relevant: Block access to credential files (*.env, *.env.local) to prevent AI exposure - #8 by SomeUser123

Yikes!! You have several “intellisense”-like extensions. Are you sure one of those isn’t instantiating autocomplete? Have you tried disabling all extensions and repro?

Most of them are actually deleted and only disabled per project. Unfortunately the automatic list does not show that, sorry for the confusion.
Also none of those are AI based.

Following this thread.

I’ve added a reproduction video above.

1 Like

Do you have any references for this? The post you link to show a “server latency p50” for the Tab model, which indicates the opposite.

It’d be highly problematic if the Tab model sends up envs to a server!

Crazy. Here’s a screenshot from another thread that shows how the .env is uploaded.

Cursor uploading files listed in .gitignore and .cursorignore is a huge security flaw!

0.47 mostly fixes this. However only when a .cursorignore is present.
According to the docs, Cursor should ignore a set of default files (which includes .env) but only for indexing and stuff mentioned in .gitignore. I think this is still a mayor problem.

Without a specific .cursorignore it means opening a repository for the first time might be dangerous… Basically you would need inject a basic ignore file for every project on your device (or somehow set it up globally, which I tried to find) before starting cursor within that folder.

Nice to see this improved, but come on…

1 Like

So what I find not so cool is the communication

  1. Nobody from the cursor team really acknowledges the issue
  2. @truell20 edited the title of this thread to “.env question” which is trying to put stuff under the rug, in my opinion. This is unacceptable, especially without at least a reply here. I am now also unable to update the post any longer. This is just shady.
  3. “best effort” in regards to security stuff
  4. This post on reddit is first answered with “Here is what the user might did wrong”
  5. I also contacted the official support, no response yet.

I would have expected “Hey, we took this serious, here is what we did and how we make sure that never happens again. Sorry about that”

3 Likes

Thats true. Cursor doesnt respect the cursor ignore file.
Cursor edit my .env very often. Change the name eg of
OPEN_AI_KEY to AI_KEY then to something else.

Its really funny. I really frustrated.

Sometime Cursor acts like a pro then 10 minutes later like a fool.

its a tough crowd, coders , and the rate of feature release
I have kept giving Cursor team a chance
despite not liking their pedigree (they are far less experienced as Codeium)

maybe a large part of the fund raise seems to be used for the compute
and benefit us free(tier)loaders

also,
some of the rejection errors are starting to be very crippling

these kind of gaffes are going to destroy everyone in the cursor ecosystem
including paid accounts

1 Like

Just to clarify what’s happening here - there was a bug that caused Cursor Tab to show suggestions that could contain sensitive data, if you’ve recently edited an ignored file (added to .cursorignore). This has been fixed in version v0.47 which is currently rolling out.

The default behavior should be to ignore any files in your .cursorignore as context, but this bug meant it could slip into Tab suggestions - you can read more about our security practices at Security | Cursor - The AI Code Editor

We take security very seriously, and I totally understand the frustration around communication. The team has been fixing these edge cases whenever we are made aware of them, and can track down a cause, but you’re right that we should have been more proactive in addressing concerns.

To be clear, with Privacy Mode enabled, none of your code is ever stored outside of processing each specific request. While you could see .env data from Tab suggestions in 0.46 and below, as long as Privacy Mode is enabled, these requests will have long been forgotten from our systems.

See this extract from our security page - cursor.com/security:

Privacy mode can be enabled during onboarding or in settings. When it is enabled, we guarantee that code data is not stored in plaintext at our servers or by our subprocessors. Privacy mode can be enabled by anyone (free or Pro user), and is by default forcibly enabled for any user that is a member of a team.

For anyone concerned, I’d recommend updating to 0.47 when it becomes available to you. You can check your current version using the About Cursor menu.

2 Likes

I feel like “not stored” and “if added to cursorignore” isn’t enough.

For well known file(-extensions) that store secrets, the default should be to never transfer those files or their partial contents ever.

For my understanding at least such patterns as these should be auto-ignored, no matter what the .gitignore or .cursorignore say:

  • .env(.*?)
  • .git-credentials
  • Maybe even everything that starts with a dot?
  • .npmrc
  • config.json
  • composer.auth.json
  • credentials.json
  • id_rsa**,** id_rsa.pub
  • aws_credentials
  • .dockercfg
  • secrets.json**,** apikey.txt,…
  • .pem, .crt,…

I guess with a bit of research this list easily gets superlong

4 Likes

Cant agree with that. .cursorignore and .gitignore must be respected as this depends on the user and the project.

Those who have sensitive info in .env can put it in both ignores, but then .env.testing or so not in there, that way AI can check during test runs if it works, but doesnt access the sensitive data.

First off, thanks for finally saying anything official :+1:

  1. user defined global settings would help
  2. well-known list by default is what I personally would have expected, as the indexing also does that
  3. you should be able to override this behaviour with !.env.test :slight_smile:
  4. (separate issue:) better support communication processes (more support people?)
1 Like

It’s much to easy to open an existing folder in your IDE by accident.

Another scenario is that you check out some git project and that contains relative symlinks to sensible directorys. It’s impossible to always know and be cautios enough to preemptively put everything into a custom ignore list.

Yes in your scenario using git is the issue, not the ignore files. Basically any git checkout would put your system in danger. you can disable this with git config --global core.symlinks false for untrusted repositories or disallow usage of git :slight_smile: though overall cloning should be safe apart of submodules.

As for opening another folder, which is a valid potential issue, Cursor should add to open folder an option to manually check a checkbox if the indexing should be turned on for that, as it cant be a system wide setting.

The reason why im not in general on the side that .env and co should be omitted is that not all languages have predefined formats, not all can ever be listed, not all use cases can be covered, not everyone uses those conventions, … In such case Cursor may need to have a general setting, don't index by default which is turned off and can be turned on for those who need it and then allow by project a custom setting in that project config.