Cursor Code Editor Vulnerability Allows Arbitrary Code Execution via Malicious Git Repositories
A critical flaw in the Cursor AI code editor allows attackers to execute arbitrary code on Windows systems simply by having users clone and open a specially crafted Git repository.

A severe vulnerability discovered in the popular Cursor AI code editor enables attackers to achieve arbitrary code execution on Windows systems without any user interaction beyond cloning a malicious repository. The flaw, reported by AI security firm Mindgard, exploits how Cursor handles Git binaries within project directories. When a user opens a repository containing a file named git.exe in its root folder, Cursor automatically executes this binary with the user's privileges, bypassing standard security prompts.
This mechanism allows an attacker to embed malicious code within a Git repository. Once a developer clones and opens this repository in Cursor, the embedded git.exe is executed. The malicious code then runs with the privileges of the logged-in user, potentially granting attackers access to sensitive data such as SSH keys, cloud tokens, and source code. The vulnerability is particularly concerning because it requires no prior access to the machine; the act of opening the repository is the sole exploit vector.
Mindgard's proof-of-concept demonstrated this by renaming the Windows Calculator executable to git.exe and placing it in the root of a repository. Cloning and opening this repository caused Calculator windows to repeatedly launch, illustrating the arbitrary code execution capability. The security firm initially reported the flaw to Cursor on December 15, 2025, but as of July 15, 2026, no patch has been released, and Cursor has not issued any official advisory regarding the issue.
The technical details reveal that Cursor, like other code editors such as VS Code, searches for a Git binary in several locations, including the project's root directory. When a git.exe is found in the workspace, Cursor executes it, typically to run commands like git rev-parse --show-toplevel. The vulnerability persists in recent versions of Cursor, with Mindgard confirming its presence in versions up to 3.2.16 and noting its survival in newer releases, though specific version numbers were not detailed.
Compounding the issue, the disclosure process has been fraught with delays and miscommunication. Cursor's security page states that vulnerability reports are typically acknowledged within five business days. However, Mindgard experienced significant delays, with their initial report being closed as "informative and out of scope" before being reopened after pushback and reproduction by HackerOne. This occurred while Cursor addressed other vulnerabilities, such as GHSA-8pcm-8jpx-hv8r (CVE-2026-26268), reported by other researchers and fixed in earlier versions.
This vulnerability class is not unique to Cursor. In June, Cymulate published findings on similar issues affecting other AI tooling, including GitHub Copilot CLI, Gemini CLI, and OpenAI's Codex desktop app. While AWS patched a related flaw (CVE-2026-10591) in its Kiro product, other vendors like GitHub and Google either downgraded the severity or deemed the findings out of scope, mirroring Cursor's initial response to Cymulate's report on its own CLI tool.
Given the lack of a patch, users are advised to implement workarounds. Mindgard suggests using application control solutions like AppLocker or Windows App Control to create deny rules for executables named git.exe within workspace roots. For those working with untrusted repositories, opening them in isolated environments such as a disposable virtual machine or Windows Sandbox is recommended. Additionally, developers should exercise caution and inspect the contents of cloned repositories before opening them, looking for unexpected executables like git.exe, npx.exe, or node.exe in project roots.
The situation highlights the ongoing security challenges associated with AI-powered development tools and the critical importance of secure vulnerability disclosure processes. The extended timeline and initial dismissals by Cursor and other vendors underscore the need for robust security practices and transparent communication throughout the vulnerability management lifecycle.
This new report details a specific two-click exploit chain within the Cursor AI code editor, involving the manipulation of deeplinks within pull requests to install malicious MCP servers. The vulnerability, dubbed "2-Click Cursor," leverages an old-fashioned argument injection flaw combined with a dialog box inadequacy that hides malicious commands, allowing for arbitrary code execution with user privileges.