Update: It has come to my attention that at least the tab model is supposed to be executed locally. So this might takes the heat of the issue a bit if it does more than the tab position. Still this thread is relevant.
2nd Update: There is now a video at the end of this post.
I now have to stop using cursor because I might have leaked internal company (luckily only non-critical development) secrets to external servers, both Cursor and Claude.
This was not the case in previous versions. When I started using cursor a few weeks ago it was the first thing I checked.
Very simple: I noticed that cursor autocompletes my secrets and the AI tooling is available when editing my .env
file. This can happen in a completely empty folder/project.
Partial content of my .cursorignore (same in .gitignore):
*.env
*.env.*
*.env*
.env
.env.*
.env*
Reproduction Steps
- Open cursor in a new folder
- create .env file
- type “hello”
- observe autocomplete like
hello = world
Alternatively add a secret to the .env, add another file and trick the autocomplete into exposing it
my_user_secret_that_you_should_notP92i1291292=9823723482348723482734
(random parts added to avoid any accidental overlap with pretrained LLM data)
In this example it could maybe be explained if you are keeping track of my clipboard history (Which I would also find deeply concerning). In this example I even made sure to have the clipboard contain something different.
I was also able to open a different file, insert the beginning of a secret and have it autocomplete the secret for me.
Steps I tried
According to the documentation this should already be the ignored automatically. Additionally, I have .env in my .gitignore
and .cursorignore
file. I had cursor generate the initial .cursorignore
file for me to avoid any mistypes etc!
So I had 3 layers of protection.
I also deleted the indexes my existing project and reindexed.
This is absolutely unacceptable. How am I supposed to ever trust Cursor again? This needs systematic guard rails against stuff like that otherwise no enterprise would ever allow usage of cursor.
I will have to switch back to VSCode and am very sad about it. I just recommended Cursor for my teams this week and have now warned everybody (and broke their local setup because of key rotation).
cursor --version
:
0.46.8
be4f0962469499f009005e66867c8402202ff0b0
arm64
on MacBook M3 Pro - MacOS Sequoia 15.3.1
List of extensions: ( cursor --list-extensions
)
antfu.goto-alias
apollographql.vscode-apollo
aswinkumar863.smarty-template-support
bibhasdn.unique-lines
bmewburn.vscode-intelephense-client
bradlc.vscode-tailwindcss
dbaeumer.vscode-eslint
dejmedus.tailwind-sorter
devsense.composer-php-vscode
devsense.intelli-php-vscode
devsense.phptools-vscode
devsense.profiler-php-vscode
eamodio.gitlens
editorconfig.editorconfig
elixir-tools.elixir-tools
esbenp.prettier-vscode
george-alisson.html-preview-vscode
hossaini.bootstrap-intellisense
inferrinizzard.prettier-sql-vscode
jakebecker.elixir-ls
jasonnutter.search-node-modules
jock.svg
mechatroner.rainbow-csv
mhutchie.git-graph
mrmlnc.vscode-duplicate
ms-azuretools.vscode-docker
ms-kubernetes-tools.vscode-kubernetes-tools
ms-vscode-remote.remote-containers
ms-vscode.live-server
ms-vscode.vscode-speech
noku.rails-run-spec-vscode
pantajoe.vscode-elixir-credo
paulo20223.nuxt-goto-alias
phoenixframework.phoenix
redhat.vscode-xml
redhat.vscode-yaml
rubocop.vscode-rubocop
sdras.vue-vscode-snippets
shd101wyy.markdown-preview-enhanced
shopify.ruby-lsp
simonsiefke.svg-preview
stivo.tailwind-fold
vue.volar
wayou.vscode-todo-highlight
yoavbls.pretty-ts-errors
UPDATE: Reproduction Video
I recorded a full reproduction video. I left in an error where I still had the user rules from the other thread. I removed it in the video and just restarted an agent session but copy and pasted the prompt (only containing the name of the secret!).
There is no trickery here. I left it in to show that this in unedited (except for removing my mail).
- I only typed
- did not select any text
- did not copy paste anything before showing the error (except in the error correct above, but never the value)
- created the simplest .cursorignore possible (does not matter, should have been ignored without it anyways)
- did not accept any tab completion
You can see:
- autocompletion suggestions with the .env file
- I only switched back to the .env file to look at what exactly I wrote in order to write it again in somefile.rb (the secret is only highlighted because the text cursor is on it leading to a background color)
- The agent claims to see the secret, while avoiding to print it. As shown in the other thread, it is however definitely send over the network.
- .env file is automatically added to the context
- (.env file content is send over network
→ shown in the other thread because the online token counter gets the file in plain text)
(link only valid for a week)
I tried the latest update as well and updated before the video. My version details:
Version: 0.46.9
VSCode Version: 1.96.2
Commit: 3395357a4ee2975d5d03595e7607ee84e3db0f20
Date: 2025-03-05T08:14:11.312Z (1 day ago)
Electron: 32.2.6
Chromium: 128.0.6613.186
Node.js: 20.18.1
V8: 12.8.374.38-electron.0
OS: Darwin arm64 24.3.0