By Cursor IDE was hacked twice at Pwn2Own Berlin 2026. So was OpenAI Codex. So was LiteLLM. Every AI category target at the competition was successfully compromised — and the 90-day clock before full public disclosure starts now.
Pwn2Own Berlin concluded on May 16 with $1,298,250 paid out across 47 unique zero-day vulnerabilities. The mainstream security headlines focused on Windows 11 and Microsoft Exchange. But for developers, the news that matters came from the AI and developer tooling categories, which Trend Micro’s Zero Day Initiative expanded significantly this year.
Cursor Got Hit Twice
On Day 2 of the competition, two separate research teams successfully exploited Cursor, the AI-powered code editor built on VS Code that has become a staple in developer workflows.
Le Duc Anh Vu of Viettel Cyber Security took home $30,000 for the first successful exploit. A few hours later, a five-person team from Compass Security collected $15,000 for a second, independent attack. That’s $45,000 in total payouts and two confirmed zero-days in software millions of developers run with full access to their codebase.
Technical details remain under embargo — ZDI’s 90-day disclosure policy gives Cursor until around mid-August 2026 to ship patches before the specifics go public. What’s confirmed is that both exploits succeeded cleanly enough to meet Pwn2Own’s strict verification requirements.
This isn’t entirely surprising. Earlier this year, OX Security found that Cursor and Windsurf were carrying 94+ known Chromium vulnerabilities because neither IDE had updated its underlying Electron engine in over a year. Cursor’s last Chromium update was in March 2025. When the Pwn2Own exploits become public, they may land on top of an already-unpatched base.
LiteLLM: SSRF, Code Injection, Full Takeover
On Day 1, researcher k3vg3n demonstrated why AI infrastructure components deserve the same adversarial scrutiny as any production API. LiteLLM — the open-source proxy library that routes requests to OpenAI, Anthropic, and other LLM providers — fell to a three-bug chain that combined Server-Side Request Forgery with code injection for full system takeover. The payout was $40,000.
The significance here extends beyond LiteLLM itself. If you’re running an AI-integrated application and using LiteLLM to manage your model routing, the attack surface isn’t just the prompts going in and the completions coming out. It’s the request handling layer, the authentication logic, and the API plumbing. SSRF bugs in an LLM proxy can pivot to internal services. Code injection means arbitrary execution. Combined, they’re a complete compromise.
OpenAI Codex Also Fell — Twice
OpenAI’s cloud-based coding agent was exploited by two separate teams. Satoki Tsuji of Ikotas Labs earned $20,000 by abusing an external control mechanism to trigger unintended behavior. Compass Security then collected $40,000 using a single CWE-150 bug — improper neutralization of delimiters — for a second successful compromise.
Three major AI developer tools, six successful exploits, zero AI category targets left standing. The 100% compromise rate across all AI categories isn’t a coincidence. It reflects a structural issue: AI tooling has been shipped and scaled on the assumption that it inherits the security of the underlying platforms, and that assumption is wrong.
Why AI Dev Tools Are High-Value Targets Now
The attack surface of a modern AI IDE is fundamentally different from a traditional editor. Cursor isn’t just a text editor — it’s an Electron application making cloud API calls, executing autonomous agent workflows, loading extensions from a marketplace, and potentially connecting to MCP servers. Each integration layer is a potential entry point.
More importantly, developers trust their IDE implicitly. You think twice before running a random binary. You don’t think twice about opening a project in Cursor. Attackers know this. A compromised IDE with agent capabilities and filesystem access is not a contained breach — it’s a breach of everything the developer touches.
What to Do Now
The practical steps are straightforward:
- Update Cursor and any other AI IDE to the latest version. Patches are likely incoming as vendors respond to the Pwn2Own disclosures.
- Disable or restrict autonomous agent execution when working in unfamiliar or untrusted repositories.
- If you’re running LiteLLM in production, review the project’s security advisories and apply updates immediately.
- Track ZDI advisories for Cursor and OpenAI Codex — technical details drop around mid-August 2026. That’s when researchers outside the competition will start building on those vulnerabilities.
The ZDI disclosure timeline is not academic. When exploit details go public, unpatched installs become trivially exploitable. The 90-day window is the grace period — and it’s already running.
AI dev tools are not going away, and neither is the adversarial interest in them. Pwn2Own Berlin 2026 made official what security researchers have been warning: these tools are now first-class targets, and they need to be treated that way.
