Cursor Has 5 CVEs. Windsurf Has FedRAMP. What Does Your AI Coding Tool Actually Do With Your Code?

Published: 2026-03-21

Cursor, one of the fastest-growing AI coding tools, has accumulated five high-severity CVEs in 2025, with CVSS scores ranging from 7.3 to 8.8. The vulnerabilities include remote code execution bugs and case-sensitivity bypasses that allow overwriting protected configuration files.

Security audits of AI coding tools reveal patterns that security-conscious teams should understand before deployment.

What Cursor's audit found

A published security audit of Cursor applied a 5-point AI tool security checklist:

1. Data handling: Cursor routes code through 15+ subprocessors including AWS, OpenAI, Anthropic, and Google Cloud. Privacy Mode reduces but does not eliminate this data flow.

2. Vulnerability history: Five high-severity CVEs patched in 2025. RCE vulnerabilities CVE-2025-54135 and CVE-2025-54136 specifically targeted MCP connections.

3. Code verifiability: Cursor is closed source. SOC 2 Type II certification covers operational security but does not allow independent code audits.

4. System access: Cursor requires broad file system and network access to function. Three of the five CVEs targeted excessive permission paths.

5. Audit capability: Enterprise plans include audit logs, but the depth and retention depend on the plan tier.

The audit concluded that Cursor is usable with proper configuration but carries a "medium risk" rating due to the combination of closed-source code, vulnerability history, and subprocessor chain.

The subprocessor chain problem

Even when using Privacy Mode, Cursor routes code through multiple third-party services:

• Cloudflare (proxy and DDoS protection)
• Vercel (infrastructure)
• AWS (compute and storage)
• OpenAI, Anthropic, Google Cloud (model inference)
• Additional unnamed subprocessors

Each subprocessor in the chain represents a data processing relationship that may have its own security posture, compliance certifications, and breach history.

What this does not mean

This is not an argument that Cursor is unusable or that these vulnerabilities make it unsafe for all use cases. Cursor patched each vulnerability responsibly when disclosed. SOC 2 Type II certification provides independent verification of operational security controls.

What it means is that using Cursor requires understanding what you are trusting: closed-source code, a multi-vendor data path, and a vulnerability history similar to other tools in its category.

The alternative: transparent governance

Syndicate Code is open-source software. The control plane implementation can be inspected, audited, and verified. The governance model—approval requirements, argument binding, event logging—is implemented in code that can be reviewed.

For teams that prioritize verifiability over convenience, open-source governance infrastructure provides a different trust model than closed-source tools.

FAQ

Does Syndicate Code have CVEs?

Syndicate Code is open-source software. Any vulnerabilities discovered in Syndicate Code would be publicly disclosed through the project's security process. The open-source model allows security researchers to audit the code directly.

Is open source automatically more secure?

No. Open source software can have vulnerabilities like any other software. The advantage is verifiability: anyone can audit the code, and vulnerabilities are more likely to be discovered through public review. The disadvantage is that attackers can also audit the code for vulnerabilities.

Does Syndicate Code route data through third-party services?

Syndicate Code connects to AI model providers (Anthropic, OpenAI, Google) through their APIs. The control plane and event store operate locally. Code and events are not routed through third-party infrastructure beyond the AI model provider APIs.

What is Syndicate Code's vulnerability disclosure process?

Syndicate Code follows a responsible disclosure process for security vulnerabilities. Details are published in the project repository.