A flaw in Cursor’s AI agent lets malicious repositories trigger arbitrary code execution through routine Git operations, now patched in version 2.5.

CSO Online offers insights into cybersecurity, risk management, and IT leadership, providing articles, reports, and expert analysis to help security professionals navigate the evolving threat landscape and protect their organizations from cyber attacks. By exploring CSO Online's curated content, CISOs, security managers, and IT executives can learn about threat intelligence, security frameworks, and incident response strategies for building resilient cybersecurity programs. Whether you're defending against ransomware, phishing attacks, or insider threats, CSO Online offers resources to strengthen your security posture and safeguard your digital assets.

CSO Online

A critical vulnerability (CVE-2026-26268, CVSS 9.9) in the Cursor AI IDE allows arbitrary code execution on a developer's machine via malicious Git repositories. An attacker can embed a bare repository with a malicious pre-commit hook inside a legitimate project. When Cursor's AI agent autonomously performs Git operations like checkout, the hook executes attacker-controlled code outside the sandbox. The attack requires no phishing — just cloning a repository is enough. The flaw stems from Cursor's AI agent autonomously running Git operations without sufficient safeguards, unlike traditional passive IDEs. It has been patched in Cursor version 2.5, with no known in-the-wild exploitation reported.

Critical Cursor bug could turn routine Git into RCE