Researchers disclosed a Windows arbitrary code execution flaw in the Cursor AI coding IDE that causes the application to automatically run a malicious git.exe placed in the root of a repository when the project is opened. Mindgard said the issue stems from Cursor's Git path resolution logic searching the workspace itself for Git binaries, enabling attacker-controlled code to execute with the developer's privileges without clicks, prompts, or warnings; the payload may also be triggered repeatedly during normal use. In a demonstration, Mindgard renamed Windows Calculator to git.exe and showed Cursor launched it simply by opening the poisoned repository.
Mindgard said it first reported the vulnerability to Cursor in December 2025, later resubmitted it through HackerOne after contacting the company's CISO, and that the flaw was still present in Cursor version 3.2.16 as of late April 2026 and in the latest version it tested before publication. Cursor told Dark Reading it was addressing the issue. Until a fix is available, Mindgard urged developers to open untrusted repositories only in isolated environments and recommended enterprise Windows controls such as AppLocker or Windows App Control to reduce exploitation risk.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Cursor told Dark Reading it was addressing the reported issue. This vendor response came after public reporting that the flaw remained present in the latest tested version.
Mindgard publicly disclosed the Cursor vulnerability after months of attempted coordinated disclosure, describing how opening a poisoned repository can trigger automatic execution of a malicious git.exe with the developer's privileges. The disclosure included mitigation advice such as using isolated environments and Windows application control policies until a patch is available.
Mindgard states the issue was still present in Cursor version 3.2.16 as of April 30, 2026. According to the disclosure, the application continued to auto-execute an attacker-controlled git.exe from the workspace without prompts or warnings.
Mindgard says it first reported a Windows arbitrary code execution vulnerability in Cursor to the vendor on December 15, 2025. The flaw allows a malicious git.exe placed in a repository root to be executed automatically when the repository is opened.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcedarkreading.com
Open sourcemindgard.ai
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.