A mistake by a developer at OX Security has revealed critical vulnerabilities in Cursor that could allow attackers to drain enterprise coffers.
Cursor is one of a number of highly popular “vibe coding” platforms that allows developers to build applications using AI.
According to OX Security, the developer in question accidentally spent the firm’s entire monthly budget in hours, prompting calls for more robust spending caps and guardrails.
"When he got notified of exceeding the limit, he wandered off to his user settings and found out he could simply change the organization’s budget limitations (to over $1M!) – even though he wasn’t the admin. The admin received no notification."
The mistake was possible because of a lack of mandatory spend caps and overly permissive access, with non-admins able to modify critical settings. Meanwhile, bills appeared hours or days later, making the overspend difficult to spot.
While both Cursor offers ways to limit spending, these protections are not enabled by default, are reactive rather than preventative, and depend entirely on manual configuration.
OX Security said most teams will probably assume that controls are admin-only, particularly given the statement in Cursor’s documentation that “admins can increase the limit”.
However, the default settings mean that a non-admin user can change team limits to 'unlimited', set caps to more than $1,000,000, and save changes without any pushback.
Amazon Bedrock has the same issue
Amazon Bedrock has similar issues, according to OX Security. The firm noted the platform also has no built-in spend caps by default.
The company does acknowledge this risk in its documentation, however, noting that “Amazon Bedrock offers a pay-as-you-go pricing structure that can potentially lead to unexpected and excessive bills if usage is not carefully monitored”.
Official documentation also states that “traditional methods help spot high usage, but only after costs are incurred.”
This isn’t only an admin’s headache, OX Security warned, as it's been able to build a proof-of-concept showing how attackers can exploit these weaknesses to drain millions of dollars in compute power value.
First, the attacker sends a malicious Cursor deeplink which, when clicked, automatically injects a prompt into the user’s Cursor chat, opens the Command Palette, navigates to the team Usage & Billing modal.
Thereafter, it edits the usage limit to an extremely high value and then saves it – all without requiring admin permissions. The team budget can now hit more than $1 million a month.
Crucially, a second deeplink is sent triggering an infinite requests loop to flood Cursor with high usage. This link runs code in the name of the team member, injects a prompt that triggers infinite requests and burns through tokens at scale.
Researchers warned this would cost the company up to the modified limit.
Deeper access
According to OX Security, when developer accounts are compromised or API tokens leak online, attackers gain direct access to AI compute resources.
These stolen tokens can be used directly by attackers for their own AI workloads or exploited at scale across multiple compromised accounts simultaneously – or sold on dark web marketplaces where AI access is increasingly valuable.
"Organizations using these platforms should immediately review billing settings, enable admin-only controls, and implement spending caps," said the firm.
"This wasn’t just a configuration oversight. It exposed a systemic problem: AI platforms prioritize speed and access over protection, creating an environment where a single leaked token or malicious link can trigger unbounded usage – silently driving costs into the millions before any alert fires."
OX Security said it's notified Cursor and Amazon Web Services (AWS) of the vulnerabilities, but hasn't yet received a reply.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Global IT spending set to hit a 30-year high by end of 2025News Spending on hardware, software and IT services is growing faster than it has since 1996
-
Microsoft Teams is getting a feature that lets bosses snoop on staffNews A new location tracking feature in Microsoft Teams will make it easier to keep tabs on your colleague's activities – and for your boss to know exactly where you are.
-
AWS says ‘frontier agents’ are here – and they’re going to transform software developmentNews A new class of AI agents promises days of autonomous work and added safety checks
-
Google CEO Sundar Pichai thinks software development is 'exciting again' thanks to vibe coding — but developers might disagreeNews Google CEO Sundar Pichai claims software development has become “exciting again” since the rise of vibe coding, but some devs are still on the fence about using AI to code.
-
‘Slopsquatting’ is a new risk for vibe coding developers – but it can be solved by focusing on the fundamentalsNews Malicious packages in public code repositories can be given a sheen of authenticity via AI tools
-
Google Brain founder Andrew Ng thinks everyone should learn programming with ‘vibe coding’ tools – industry experts say that’s probably a bad ideaNews Vibe coding might help lower the barrier to entry for non-technical individuals, but users risk skipping vital learning curves, experts warn.
-
The AWS outage brought much of the web to its knees: Here's how it happened, who it affected, and how much it might costNews Apps and websites impacted by the AWS outage have recovered after a highly disruptive start to the week
-
AWS CEO Matt Garman just said what everyone is thinking about AI replacing software developersNews Junior developers aren’t going anywhere, according to AWS CEO Matt Garman
-
AWS expands language support for Amazon Q DeveloperNews AWS has expanded support for languages in Amazon Q Developer, making it easier for developers to code in their first language.
