Cursor's Agents Get More Autonomy, Less Oversight

Cursor shipped a mobile app, new automations, and an auto-review mode that cuts approval prompts. Here's what that means for your app's security.

Barret4 min read

Cursor pushed a wave of updates this cycle. None of them are a breach. All of them point the same direction: agents doing more, with fewer humans in the loop. If you shipped an app with Cursor, that's worth five minutes of attention.

TL;DR

Your agent now has more standing access

Cloud agents in Cursor need a real development environment to do real work: cloned repos, installed dependencies, credentials for your toolchain, access to your build system. That's the tradeoff behind the new cloud environment setup. cursor.com/changelog/05-13-26

Now add the iOS app. You can start, monitor, and remote-control those same cloud agents from your phone. cursor.com/changelog/ios-mobile-app And Automations can now fire from a GitHub event or a Slack message, and use "computer use" to operate a machine directly. cursor.com/changelog/06-18-26

None of this is bad on its own. But stack it up: an agent with repo access, build credentials, and a live environment, triggerable by a Slack message, controllable from a phone. If any one link in that chain is misconfigured — an overly broad Slack integration, a repo webhook anyone can hit — the agent is the thing that acts on it.

Fewer approval prompts, more trust by default

Cursor's new Auto-review mode is built to let agents "work for longer with fewer approval prompts and safer execution." cursor.com/changelog/auto-review The SDK update ships alongside it, adding custom tools and nested subagents for teams building on top of Cursor. cursor.com/changelog/sdk-updates-jun-2026

The pitch is speed: less babysitting, more throughput. The tradeoff is oversight. Every approval prompt you remove is a checkpoint where a human used to catch a bad diff, a leaked secret, or a change to an auth rule before it shipped. If you turn this on for a solo project, you are the only reviewer left. Read the diffs anyway.

Enterprise customers also got org-level controls — separate security, governance, and budget settings per team. cursor.com/changelog/enterprise-organizations That's a sign Cursor knows bigger customers need guardrails around this autonomy. Solo builders and small teams on lower tiers don't get that same admin layer.

Cursor built a security reviewer — but you may not have access

The most relevant release for this newsletter: Cursor Security Review, now in beta. It runs two always-on agents — a Security Reviewer and a Vulnerability Scanner — against your code. cursor.com/changelog/04-30-26

The catch: it's beta, and it's on Teams and Enterprise plans only. If you're a solo founder or on a Pro plan, this isn't in your toolbox yet. That's exactly the gap outside scanning tools exist to fill — someone still has to check your auth rules, your API routes, and your database policies before you ship.

FAQ

What is "computer use" in Cursor Automations?

It's an automation mode where the agent operates a computer directly — clicking, typing, running tasks — rather than just editing code. Combined with GitHub and Slack triggers, it means an automation can start and act without you opening Cursor at all. cursor.com/changelog/06-18-26

Should I turn on Auto-review for my project?

If you're the only person checking code before it ships, be cautious. Auto-review is designed to reduce approval prompts, which means fewer moments where a human catches a mistake. For solo or small-team apps, keep manual review on for anything touching auth, payments, or your database rules.

I'm not on a Teams or Enterprise plan — how do I get a security review?

Cursor's built-in Security Reviewer and Vulnerability Scanner are beta features limited to Teams and Enterprise. cursor.com/changelog/04-30-26 If you're on Free or Pro, you need an external check — manually review your API routes and database rules, or run a scan built for AI-generated apps.

The bottom line

Cursor's agents can now do more, reach further, and ask permission less often. That's good for speed. It raises the cost of a misconfiguration, because there are fewer humans positioned to catch it before it ships. Cursor's own security tooling is a good sign — but it's not available to everyone yet. If you're not on Teams or Enterprise, the review has to come from somewhere else.

Find your gaps before an attacker does.

Is My Site Hackable? scans your deployed app for the exact issues in this article — exposed keys, missing RLS, open buckets — and tells you what's real and what's a false alarm.

Run a free scan →