Developers without admin privileges or attackers with limited access can bankrupt smaller companies simply by raising Cursor and AWS Bedrock spending limits, a report by OX Security has revealed.
Cursor is an AI coding platform, a fork of VS Code, that has become popular among vibe coders – developers who rely on AI assistance.
Meanwhile, AWS Bedrock provides a single API to access multiple foundation AI models, including Amazon Titan, Anthropic Claude, Meta Llama, and others.
The two systems integrate so well that non-admin users can raise the spending limits to over $1 million without an actual administrator noticing anything, a new employee at Ox Security has discovered.
“A new developer on our team accidentally spent our monthly Cursor budget in hours,” the OX Security report reads.
“When he got notified of exceeding the limit, he wandered off to his user settings and found out he could simply change the organization’s budget limitations (to over $1M!) – even though he wasn’t the admin. The admin received no notification.”
At least three critical failure points were detected on Cursor: there were no mandatory spend caps, allowing usage to grow unbounded, the cost visibility was delayed, with bills appearing hours or days later, and the access to settings was overly permissive.
This critical flaw exposed many enterprises to a silent and “catastrophic budget drain.” The vulnerability allowed non-admins to modify budget controls. Meanwhile, attackers could abuse leaked API tokens for nearly unlimited access.
“Any team member can edit spending limits without admin approval,” the report reads.
“A non-admin user can change team limits to 'unlimited,' set caps to $1,000,000+, save changes with zero friction.”
And AWS Bedrock default settings do not have any built-in spending caps.
The researchers believe this exposes a systemic problem of AI platforms prioritizing speed and access over security. Cloud costs could exceed millions of dollars before any alert is made.
Hackers can easily automate attacks to search for exposed API tokens and rapidly consume AI usage quotas.
“Organizations using these platforms should immediately review billing settings, enable admin-only controls, and implement spending caps. We notified both vendors on December 3rd-4th, 2024, and are awaiting responses,” OX Security said.
AWS spokesperson has provided the following statement to Cybernews:
“This is not a security issue with Amazon Bedrock or AWS. AWS customers who want to manage spending in Amazon Bedrock can do so through AWS Service Quotas and cost controls like AWS Budgets. Access to Bedrock APIs and the ability to modify service quotas are governed by IAM permissions, which customers configure based on their security requirements.”
AWS has also clarified that the claim by OX Security regarding notification to vendors is inaccurate.
“OX Security has not contacted us,” AWS spokesperson added and noted that the stated publication date (year) contains a typo.
Updated on December 10th [03:55 p.m. GMT] with a statement from AWS.
Unlock Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked