A vulnerability in Cursor that allows arbitrary code execution simply by 'opening the repository' has not been fixed even 7 months after it was reported, and researchers have now published the full details.

A vulnerability has been discovered in the Windows version of 'Cursor,' a code editor with AI-powered programming assistance features, that allows arbitrary programs to be automatically executed simply by opening a specially crafted repository. Mindgard, the AI security company that discovered the vulnerability, reported it to Cursor in December 2025, but it remained unfixed for about seven months, and they did not receive sufficient progress reports, so they released details of the vulnerability on July 14, 2026.
Cursor 0day: When Full Disclosure Becomes the Only Protection Left - Mindgard

Cursor IDE Auto-Executes Malicious Code in Poisoned Repos
https://www.darkreading.com/application-security/cursor-ide-malicious-code-poisoned-repos
When developers want to check sample programs they found on GitHub or examine code sent by external developers, they download the repository and open it in a code editor. When Cursor loads a project, it searches for executable files from multiple locations in order to use Git.
Mindgard analysis revealed that the search targets also include the repository being worked on. If a malicious 'git.exe' is placed at the top level of the repository, the git.exe prepared by the attacker will be executed by Cursor.
Running git.exe requires no button presses or instructions to the AI, and no warnings or confirmation screens are displayed; it automatically starts simply by opening a repository in Cursor. Because the program operates with the same privileges as the logged-in user, if git.exe were a malicious program, it could potentially perform arbitrary actions with the privileges of the logged-in user.
As a safe proof-of-concept experiment, Mindgard renamed the Windows calculator app to git.exe and placed it in their repository. When the repository was opened with Cursor, the calculator launched, and if the repository was left open, the calculator would run repeatedly, displaying multiple windows. On April 30, 2026, they confirmed that the vulnerability still existed in the Windows version of Cursor 3.2.16.

Mindgard discovered the vulnerability and reported it to Cursor's security contact on December 15, 2025. After repeated attempts to contact them due to a lack of acknowledgment, Cursor's Chief Information Security Officer responded on January 15, 2026, explaining that an internal automated process had failed, preventing them from being invited to HackerOne's private bug bounty program.
The report submitted to HackerOne was initially dismissed as 'for reference only and not applicable,' but after Mindgard raised an objection, HackerOne confirmed the problem was reproducible, and the information was passed on to Cursor on January 20, 2026. However, Cursor did not respond to multiple inquiries sent between February and April, and even after Mindgard expressed its intention to make the issue public on June 1, the status of the fix remained unclear.
As a workaround until a fix is available, Mindgard recommends opening untrusted repositories in Windows Sandbox or a disposable virtual machine. For corporate management terminals, it suggests using 'AppLocker' or 'Windows App Control' to restrict executable applications and prevent the launch of git.exe located in development folders. It also warns against relying on blocking methods that only register the hash value of a specific file, as the hash value will change if an attacker modifies the contents of git.exe.
As of the time of writing, Cursor's official website does not contain any information regarding the corrected version number or any security notices related to this issue. However, a spokesperson for Cursor reportedly told Dark Reading, which reported on the matter, that they 'addressed the issue on July 13, 2026, and will also contact Mindgard.'
Related Posts:







