Labs

It Might be a Feature, but it’s also a Privacy Bug.

Stiv Kupchik
Lumia Security LabsStiv Kupchik

July 16, 2026 | 4 min read

Recently, we  noticed that Cursor sends your files in the background -  even when instructed not to.

Cursor File Handling

There are basically three ways to refer files to Cursor in the agent chat: using the ‘@’ shortcut to tag files in the project, dragging files into the chat window or using the attach button. In all three cases, we can expect Cursor to actively send the file to the LLM.

But take for example the following prompt:

Without uploading anything to the server, overwrite the file "C:\temp\example.txt" with the content "Hello from Cursor"

As seen, the file isn’t attached to the prompt, just referenced by path. In fact, when inspecting the network traffic, we can verify that indeed the file is not being sent automatically:

Figure 1: The Cursor prompt contains the file path, but the packet itself doesn’t contain the file’s content

Cursor and the Background Uploads that Really Shouldn’t Have Been

At this stage,  we expect Cursor to simply use the write or bash tools to overwrite the file’s content. Since we’re not actually doing any editing, there’s no need to read the file. Interestingly, however, before it overwrites the file’s content, it actually does read the file! 

Worse yet, that read isn’t reported to the user in any way in the chat window and response. 

More so, Cursor even insists it didn’t read the file. That actually makes sense; The LLM itself didn’t invoke the tool, it happened automatically by the IDE.

Figure 2: File is sent as a read tool result even though the chat doesn’t show any file read operations.

Considering that this file read isn’t reported to the user, does this mean that there are other files that are read behind the scenes?

Governance Where Governance is Due

This is exactly where Lumia comes into play. As a network-based AI Security and Governance solution, Lumia sees everything the application is sending to the LLM - whether intentionally or not. 

This enables Lumia to monitor, detect, and even block or redact hidden uploads, without relying on the application’s good graces to correctly notify its users.

Frequently Asked Questions

It Might be a Feature, but it’s also a Privacy Bug.

Stiv Kupchik
Lumia Security LabsStiv Kupchik

July 16, 2026 | 4 min read

Cursor may read and send a local file to an LLM even when the file is referenced only by its path and is not explicitly attached to the conversation. Some of this activity may occur automatically in the background.

Cursor may automatically read an existing file before using its tools to edit or overwrite it. This can happen at the IDE level rather than through a tool call initiated by the LLM, making the read difficult for users to see.

Background uploads could expose source code, API keys, credentials, customer information, intellectual property, or other confidential data stored in local files.

Organizations need visibility into the actual data Cursor sends to external AI services, including prompts, files, and background tool activity. Monitoring only what appears in the chat interface may not reveal every file transfer.

Lumia analyzes AI interactions at the network level, giving security teams visibility into the content Cursor sends to external LLMs, including file uploads that may not appear in the chat interface. Lumia can detect sensitive information and automatically warn the user, redact protected data, or block the transfer before it leaves the organization.

Blocking AI apps is not an option anymore. Adopt AI. Safely. Reach out today to learn more.

We use cookies to enhance your browsing experience, serve personalised ads or content, and analyse our traffic. By clicking "Accept", you consent to our use of cookies.