Security researchers have disclosed a high-severity vulnerability affecting the Cursor IDE, allowing arbitrary code execution on a developer’s machine through a seemingly routine repository interaction.
According to findings by AI pentesting platform Novee Security, once a developer cloned and interacted with a malicious repository, the IDE’s AI agent could trigger embedded Git logic, resulting in attacker-controlled code execution.
“The root cause is not a flaw in Cursor’s core product logic, but rather a consequence of a feature interaction in Git, one that becomes exploitable the moment an AI agent starts autonomously executing Git operations inside a repository it doesn’t control,” said Assaf Levkovich, a vulnerability researcher at Novee, in a blog post shared with CSO ahead of its publication on Tuesday.
The flaw could be used to enable the AI agent (through prompt injection) to write to improperly protected Git configurations, which could allow out-of-sandbox RCE on the next trigger. It is now patched by Cursor, with no indication of any in-the-wild exploitation as yet.
Using a legit Git feature for code execution
The exploit depends on standard Git features, including Git hooks and Bare repositories. Hooks are scripts that run automatically during events like pre-commits or post-checkouts, while bare repositories are repositories that contain only version control metadata and can be nested within other repositories.
According to Novee, an attacker could embed a malicious bare repository inside an otherwise legitimate project and plant a harmful pre-commit hook within it. When Cursor’s AI agent performs a routine operation, like a git checkout triggered by a high-level prompt, it could execute that hook. This would result in automatic execution of remote attacker code on the developer’s machine.
Levkovich noted that the underlying Git behavior allowing the attack path is well documented, but what’s different here is Cursor autonomously deciding to execute Git operations (running hooks) that ultimately result in code execution.
The flaw is tracked as CVE-2026-26268, with a critical severity rating of 9.9 out of 10 assigned by NVD, and affects Cursor versions prior to 2.5. “Sandbox escape via writing .git configuration was possible in versions prior to 2.5,” reads an NVD description of the flaw. “A malicious agent (i.e. prompt injection) could write to improperly protected .git settings, including git hooks, which may cause out-of-sandbox RCE next time they are triggered.”
Expanded attack surface with agentic IDEs
Novee warned that while traditional IDEs are passive, doing what developers explicitly tell them to do, Cursor’s AI agent interprets intent and autonomously decides which commands to run, which includes Git operations. And that’s where the problem lies.
“In traditional pentesting, ‘client-side’ attacks targeting developer machines have always been a known vector,” Levkovich noted. “But they relied on user error or a lapse in vigilance, typically requiring a degree of deliberate action on the part of the victim: opening a malicious file, executing a script, clicking a link.”
Security has long relied on trusted IDEs and human action as safeguards, but AI agents remove both constraints, he added.
As the attack path does not need phishing or tricking the user into running scripts beyond cloning the bare repository, and malicious code executes as part of the normal development workflow, it is quite difficult to detect.
Still, Cursor contested NVD’s critical rating of the flaw and instead issued its own high-severity CVSS score of 8.0 out of 10. The flaw is patched in Cursor version 2.5.
No Responses