Overview
An attacker shares a malicious Google Doc containing embedded prompt injection. When Cursor fetches the document via a Google Docs MCP server, it auto-executes the injected instructions with no user interaction required. This achieves zero-click remote code execution, credential theft, and persistent access.
Who Is Affected
Discovered by Lakera AI. Targets developers using Cursor with a Google Docs MCP server connected. The victim only needs to have the shared document accessible; no clicking or opening is required.
Where It Exists
The attack surface is any shared Google Doc that the MCP-connected agent can access. The vulnerability chains the Google Docs MCP server (data ingestion) with Cursor's code execution capabilities.
When It Was Found
Published July 2025 by Lakera as part of their MCP security research series. Demonstrates a new class of zero-click attacks via MCP integrations.
How It Works
The attacker creates a Google Doc with hidden prompt injection (e.g., white text on white background). They share it with the victim or place it in a shared drive. When Cursor's agent fetches document content via the Google Docs MCP server, the hidden instructions execute. These can install malicious MCP servers for persistence, exfiltrate credentials, or modify source code. The entire chain requires zero victim interaction.
Impact
Full compromise of the developer's environment with no interaction required. Attackers gain persistent access through injected MCP servers, can steal all credentials and source code, and maintain access across IDE restarts. The zero-click nature makes this exceptionally dangerous for targeted attacks against development teams.
Mitigation
Implement prompt injection detection on all content fetched by MCP tools. Add user confirmation for any code execution triggered by external content. Isolate document-fetching MCP servers from code execution capabilities. Review shared documents in a sandboxed viewer before allowing agent access.