GitLens MCP server auto-added in Cursor and cannot be removed

Support Bug Reports
, , ,
1

Where does the bug appear (feature/product)?

  • Cursor IDE (Version: 3.2.11, VSCode Version: 1.105.1)

Describe the Bug

extension-GitKraken added to Installed MCP Servers automatically and can’t be removed

Steps to Reproduce

After installing/updating GitLens extension, a GitKraken MCP server is automatically added to the “Installed MCP Servers” list in Cursor

image
image691×425 17.4 KB

image
image307×124 1.29 KB

Problem:

  • I did not explicitly install or enable any MCP server

  • The server shows up as installed in Cursor

  • I can temporarily disable it, but it gets auto-enabled again, and deleting it adds it back automatically

Security Concern:

  • A third-party extension is able to register and persist an executable MCP server inside Cursor without explicit user consent

  • This effectively introduces ability to inject malicious tools / prompts into the LLM context.

  • This pattern (implicit install + persistence + tool execution) resembles supply-chain risk characteristics, even if not malicious

Impact:

  • Unexpected token usage increase (agent now pulling repo context via MCP)

  • No way to opt out once it’s added

  • Supply-chain risk for Cursor users

Expected:

  • MCP servers should require explicit opt-in

Refs:
https://github.com/gitkraken/vscode-gitlens/issues/5084

Does this stop you from using Cursor?

  • Yes - This is less about GitLens itself and more about how Cursor allows external tools to register persistent MCP servers without user control. This behavior has real security implications and needs clarification.
2

Hi there!

We detected that this may be a bug report, so we’ve moved your post to the Bug Reports category.

To help us investigate and fix this faster, could you edit your original post to include the details from the template below?

Bug Report Template - Click to expand

Where does the bug appear (feature/product)?

  • Cursor IDE
  • Cursor CLI
  • Background Agent (GitHub, Slack, Web, Linear)
  • BugBot
  • Somewhere else…

Describe the Bug
A clear and concise description of what the bug is.

Steps to Reproduce
How can you reproduce this bug? We have a much better chance at fixing issues if we can reproduce them!

Expected Behavior
What is meant to happen here that isn’t working correctly?

Screenshots / Screen Recordings
If applicable, attach images or videos (.jpg, .png, .gif, .mp4, .mov)

Operating System

  • Windows 10/11
  • MacOS
  • Linux

Version Information

  • For Cursor IDE: Menu → About Cursor → Copy
  • For Cursor CLI: Run agent about in your terminal
IDE:
Version: 2.xx.x
VSCode Version: 1.105.1
Commit: ......

CLI:
CLI Version 2026.01.17-d239e66

For AI issues: which model did you use?
Model name (e.g., Sonnet 4, Tab…)

For AI issues: add Request ID with privacy disabled
Request ID: f9a7046a-279b-47e5-ab48-6e8dc12daba1
For Background Agent issues, also post the ID: bc-…

Additional Information
Add any other context about the problem here.

Does this stop you from using Cursor?

  • Yes - Cursor is unusable
  • Sometimes - I can sometimes use Cursor
  • No - Cursor works, but with this issue

The more details you provide, the easier it is for us to reproduce and fix the issue. Thanks!

8

Hey! Thanks for raising this.

There are two separate issues we’re tracking here:

  • Extension-provided MCP servers are re-enabled across restart
  • It’s possible to remove an MCP server entirely while continuing to use the rest of the extension

As the maintainer mentioned on the GitHub issue, you can set "gitlens.gitkraken.mcp.autoEnabled": false in your VSCode settings to prevent it from auto-enabling. I’ve just tested this out locally, and it removes the MCP server!

10

The real problem here isn’t GitLens

Any extension can now silently register a persistent MCP server that executes code and injects context into your AI — no mcp.json, no permission prompt, no opt-in. That’s a supply chain risk by design.