Vulnerability  ·  2026-07-15

Cursor IDE Auto-Executes Malicious git.exe from Poisoned Repositories (Unpatched 0-day)

VulnerabilityHigh impactGlobal
Security firm Mindgard disclosed a Windows arbitrary code execution vulnerability in the Cursor AI coding IDE, first reported to Cursor in December 2025 and publicly disclosed July 14, 2026 after Cursor did not resolve it through email, LinkedIn, or HackerOne over roughly seven months. Mindgard demonstrated the flaw by renaming Windows Calculator to git.exe and placing it in a repository root; simply opening the poisoned repo in Cursor triggered automatic execution.
This is a novel agent-execution/trust-boundary attack class specific to AI coding assistants: the IDE's automated tooling (not a traditional app vulnerability) silently executes attacker-controlled code sourced from an untrusted repository, enabling RATs, ransomware, credential theft, or source-code exfiltration on developer machines — with no patch currently available.
Attacker publishes/plants a malicious binary named git.exe at the root of a Git repository. Cursor's Git path-resolution logic searches the workspace itself for Git binaries before falling back to system PATH; when a developer opens the poisoned repository in Cursor, the malicious git.exe is automatically executed with the developer's privileges — no click, prompt, or warning is shown, and execution can recur during normal use.
Cursor IDE (Windows), confirmed present through version 3.2.16 and the latest version tested pre-publication (July 2026); unpatched as of disclosure
No vendor patch available at time of disclosure; Cursor told Dark Reading it is addressing the issue. Interim mitigations: open untrusted repositories only in isolated environments (VM/Windows Sandbox); enterprises should deploy AppLocker or Windows App Control policies to block execution of git.exe from developer workspace directories.
Dark ReadingMallory (Cursor IDE Executes Malicious git.exe From Poisoned Repositories)
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →