If the user’s access to Cursor is revoked from the organization, they can still use the invitation email (or rather the link in it) to get back to the Enterprise plan. This creates an administration problem, especially in large organizations.
Steps to Reproduce
Send an email invitation to a user. → user gets invitation email
User accepts the invitation → Account status in Cursor settings is changed from Free to Enterprise, and the user is added to the members list in the Dashboard
Remove user in the Dashboard → Account status in Cursor settings is changed from Enterprise to Free, the user is not displayed in the members list in the Dashboard
User accepts the invitation from the first invitation email.
Expected Behavior
User gets an error message that the invitation has expired
Operating System
MacOS
Current Cursor Version (Menu → About Cursor → Copy)
The “invite by email” feature is essentially a convenient way to send the team’s invite link to a specific person, but the link itself is not restricted to that recipient. Anyone with access to the link can use it to join the team, and it remains valid until it expires
I recommend treating the invite link as sensitive and sharing it only with people you want to join your team.
Single Sign On might be a better fit for teams who want more control over who can access a team. With SSO configured, users must authenticate with your IdP to join the team, so even if someone receives an invite link, they won’t be able to use it unless they’ve been granted access to Cursor in your IdP.
Ok, I assumed that invitation links are unique to the organization and user/invitation, but obviously, they are not. Doesn’t it open a vulnerability where still active invitation links can be stolen//sold/given away? How often are invitation links rotated? It seems the Cursor team offloaded account management to the Customers, and now I need to double-check if any of the laid-off and revoked engineers re-appear in the members list.
Thank you for the SSO option, though, need to investigate this approach.