{"id":7956,"date":"2026-04-28T13:00:00","date_gmt":"2026-04-28T13:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7956"},"modified":"2026-04-28T13:00:00","modified_gmt":"2026-04-28T13:00:00","slug":"critical-cursor-bug-could-turn-routine-git-into-rce","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7956","title":{"rendered":"Critical Cursor bug could turn routine Git into RCE"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Security researchers have disclosed a high-severity vulnerability affecting the Cursor IDE, allowing arbitrary code execution on a developer\u2019s machine through a seemingly routine repository interaction.<\/p>\n<p>According to findings by AI <a href=\"https:\/\/www.csoonline.com\/article\/3542936\/14-underrated-pentesting-tools.html\" target=\"_blank\" rel=\"noopener\">pentesting<\/a> platform Novee Security, once a developer cloned and interacted with a malicious repository, the IDE\u2019s AI agent could trigger embedded Git logic, resulting in attacker-controlled code execution.<\/p>\n<p>\u201cThe root cause is not a flaw in Cursor\u2019s core product logic, but rather a consequence of a feature interaction in Git, one that becomes exploitable the moment an AI agent starts autonomously executing Git operations inside a repository it doesn\u2019t control,\u201d said Assaf Levkovich, a vulnerability researcher at Novee, in a blog post shared with CSO ahead of its publication on Tuesday.<\/p>\n<p>The flaw could be used to enable the AI agent (through <a href=\"https:\/\/www.csoonline.com\/article\/4159079\/copilot-and-agentforce-fall-to-form-based-prompt-injection-tricks.html\" target=\"_blank\" rel=\"noopener\">prompt injection<\/a>) to write to improperly protected Git configurations, which could allow out-of-sandbox RCE on the next trigger. It is now <a href=\"https:\/\/github.com\/cursor\/cursor\/security\/advisories\/GHSA-8pcm-8jpx-hv8r\" target=\"_blank\" rel=\"noopener\">patched<\/a> by Cursor, with no indication of any in-the-wild exploitation as yet.<\/p>\n<h2 class=\"wp-block-heading\">Using a legit Git feature for code execution<\/h2>\n<p>The exploit depends on standard Git features, including Git <a href=\"https:\/\/git-scm.com\/book\/en\/v2\/Customizing-Git-Git-Hooks\" target=\"_blank\" rel=\"noopener\">hooks<\/a> and Bare repositories. Hooks are scripts that run automatically during events like pre-commits or post-checkouts, while bare repositories are repositories that contain only version control metadata and can be nested within other repositories.<\/p>\n<p>According to Novee, an attacker could embed a malicious bare repository inside an otherwise legitimate project and plant a harmful pre-commit hook within it. When Cursor\u2019s AI agent performs a routine operation, like a git checkout triggered by a high-level prompt, it could execute that hook. This would result in automatic execution of remote attacker code on the developer\u2019s machine.<\/p>\n<p>Levkovich noted that the underlying Git behavior allowing the attack path is well documented, but what\u2019s different here is Cursor autonomously deciding to execute Git operations (running hooks) that ultimately result in code execution.<\/p>\n<p>The flaw is tracked as <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-26268\" target=\"_blank\" rel=\"noopener\">CVE-2026-26268<\/a>, with a critical severity rating of 9.9 out of 10 assigned by NVD, and affects Cursor versions prior to 2.5. \u201cSandbox escape via writing .git configuration was possible in versions prior to 2.5,\u201d reads an NVD description of the flaw. \u201cA malicious agent (i.e. prompt injection) could write to improperly protected .git settings, including git hooks, which may cause out-of-sandbox RCE next time they are triggered.\u201d<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Expanded attack surface with agentic IDEs<\/h2>\n<p>Novee warned that while traditional IDEs are passive, doing what developers explicitly tell them to do, Cursor\u2019s AI agent interprets intent and autonomously decides which commands to run, which includes Git operations. And that\u2019s where the problem lies.<\/p>\n<p>\u201cIn traditional pentesting, \u2018client-side\u2019 attacks targeting developer machines have always been a known vector,\u201d Levkovich noted. \u201cBut they relied on user error or a lapse in vigilance, typically requiring a degree of deliberate action on the part of the victim: opening a malicious file, executing a script, clicking a link.\u201d<\/p>\n<p>Security has long relied on trusted IDEs and human action as safeguards, but AI agents remove both constraints, he added.<\/p>\n<p>As the attack path does not need phishing or tricking the user into running scripts beyond cloning the bare repository, and malicious code executes as part of the normal development workflow, it is quite difficult to detect.<\/p>\n<p>Still, Cursor contested NVD\u2019s critical rating of the flaw and instead issued its own high-severity CVSS score of 8.0 out of 10. The flaw is patched in Cursor version 2.5.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Security researchers have disclosed a high-severity vulnerability affecting the Cursor IDE, allowing arbitrary code execution on a developer\u2019s machine through a seemingly routine repository interaction. According to findings by AI pentesting platform Novee Security, once a developer cloned and interacted with a malicious repository, the IDE\u2019s AI agent could trigger embedded Git logic, resulting in [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":7957,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7956","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7956"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7956"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7956\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7957"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7956"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7956"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7956"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}