Labs

For an IDE, Cursor Doesn’t Really Know its Files

Stiv Kupchik
Lumia Security LabsStiv Kupchik

July 14, 2026 | 3 min read

Is the title intentionally provocative? Yes it is. But it’s not very far from the truth. As a Coding Assistant, Cursor is great and we love using it. But also as a coding assistant, its main focus is textual files. 

Anything that isn’t textual, and it goes haywire.

Cursor Can’t Handle Microsoft Office Files - Or Any Other Binary

Ever tried uploading Office files or PDFs to the chat windows with Cursor, by using the ‘@’ tag or dragging it into the chatbox? Noticed how despite having the file, Cursor wrote a script to extract its content? 

We have, and so did our customers…


Figure 1: Cursor using a script to extract text from the docx file.

On the surface, this seems completely reasonable. Cursor knows it can’t process a binary file so it creates scripts to extract the content directly. The real issue happens behind the scenes. 

While it seems Cursor just reads the file’s content, it also uploads the file directly to the LLM alongside the prompt. The thing is that this file upload treats the file as if it’s textual, thereby corrupting it in the process, and replacing a lot of its bytes with the Unicode Replacement character EF BF BD.

Using our internal proxy and HTTP inspection tool, we can see that clearly in the traffic:


Figure 2: The file content being replaced with the Unicode Replacement character.

Doubling and Tripling the Token Waste

Beyond recognizing that Cursor does not support reading binary files, and addresses this by way of corrupting the file, Cursor is wasting a lot of tokens in the process. 

It’s not just with the prompt, the read tool has the same mechanism, and sometimes Cursor uses both before even starting to process the file, basically tripling the token usage!

The Real Issue: Complicating AI Governance

Corrupting the file actually leads to the real problem: hindering AI Governance initiatives. 

An ideal governance solution needs to inspect all files sent from the application to the LLM. However, since Cursor mangles the file’s content, it’s not easily recoverable, making it not easily governable.

In fact, that’s how we found out about it.  At Lumia, we noticed a lot of corrupted files extracted from Cursor’s traffic of our customers, and investigated the cause.

We opened a bug report to Cursor about it. It’s now acknowledged and should be fixed. We’ll track.

Frequently Asked Questions

For an IDE, Cursor Doesn’t Really Know its Files

Stiv Kupchik
Lumia Security LabsStiv Kupchik

July 14, 2026 | 3 min read

Cursor can accept Office files such as DOCX files, but it may not process the original binary format correctly. Instead, it can generate scripts to extract the text before analyzing the document.

Cursor may attempt to extract text from PDFs rather than interpret the complete file directly. This can limit its ability to understand formatting, images, tables, and other non-textual content.

Cursor attempts to transmit binary files as though they were text, replacing unsupported byte sequences with Unicode replacement characters. This alters the original file content before it reaches the language model.

Yes. Cursor often doubles or triples the amount of content sent to the model by uploading the corrupted file, running a script to extract its contents, and using additional read tools.

When a file is corrupted before transmission, security tools may struggle to reconstruct and inspect its original contents. This can create visibility and enforcement gaps for sensitive data sent through Cursor.

Blocking AI apps is not an option anymore. Adopt AI. Safely. Reach out today to learn more.

We use cookies to enhance your browsing experience, serve personalised ads or content, and analyse our traffic. By clicking "Accept", you consent to our use of cookies.