Researchers disclosed two separate high-severity security issues affecting the Cursor AI development environment, showing how developer workstations can be compromised through both malicious repositories and rogue extensions. Novee reported CVE-2026-26268 (CVSS 8.1), an arbitrary code execution flaw that can be triggered when a developer clones a crafted repository and Cursor’s AI agent performs routine Git actions such as checkout. The attack hides a malicious pre-commit hook inside a nested bare repository, allowing code to run locally without warning or additional user approval. Cursor worked with the researchers on a fix that was completed in February 2026, and defenders were urged to update to the patched version and inspect repositories for embedded bare directories and suspicious Cursor Rules files.
A separate LayerX report found that any installed Cursor extension could access API keys and session tokens stored in a local SQLite database because the product did not isolate extensions from that credential store or use protected OS-backed secret storage. A malicious or compromised extension could silently exfiltrate credentials for Cursor services and third-party integrations including OpenAI, Anthropic, and Google, enabling account takeover, impersonation, data theft, and financial abuse. As of the report’s publication, LayerX said the extension issue remained unpatched and recommended moving secrets into encrypted system keychains and enforcing stricter extension isolation.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
By April 30, 2026, Google had fixed a maximum-severity remote code execution vulnerability in Gemini CLI and the google-github-actions/run-gemini-cli workflow after Novee Security reported that untrusted workspace content could be treated as trusted configuration in headless CI environments. The changes required explicit workspace trust and hardened tool allowlisting in --yolo mode to reduce prompt-injection-driven command execution risks.
As of April 28, 2026, LayerX reported that the Cursor vulnerability allowing rogue extensions to steal locally stored API keys and session tokens remained unpatched. The researchers recommended moving secrets into encrypted system keychains and enforcing strict extension isolation.
On April 28, 2026, Novee publicly disclosed the high-severity Cursor vulnerability CVE-2026-26268, describing how cloning a malicious repository could lead to code execution on a developer machine. The disclosure highlighted the risk posed by autonomous AI coding agents operating on untrusted code and urged organizations to audit AI coding assistants.
In February 2026, Cursor completed remediation for CVE-2026-26268 after coordinated disclosure with Novee. The flaw allowed arbitrary code execution when Cursor’s AI agent interacted with a malicious repository containing a hidden Git hook in a nested bare repository.
On February 5, 2026, Cursor responded to LayerX’s report, stating that defining the trust boundary for extensions is the user’s responsibility. The response indicated the credential-access issue was not being treated as a product-side isolation failure.
LayerX disclosed a high-severity vulnerability to Cursor on February 1, 2026, showing that any installed extension could access API keys and session tokens stored in Cursor’s local SQLite database. The issue stemmed from local credential storage without protected OS-backed storage or effective extension isolation.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
6 references tracked. Mallory keeps watching after this page renders.
thehackernews.com
Open sourcecybersecuritynews.com
Open sourcehackread.com
Open sourcelayerxsecurity.com
Open sourceaware-online.com
Open sourcegithub.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.