A severe vulnerability in the AI-powered development tool Cursor allows installed extensions to access locally stored API keys and session tokens without user action, according to LayerX researchers.