Cursor AI IDE RCE Flaw CVE-2026-26268 Turns Malicious Git Repositories Into Developer Workstation Attack Paths
A malicious repository should not be enough to turn an AI coding assistant into an execution engine on a developer workstation. CVE-2026-26268 shows why that assumption is no longer safe.
The flaw affects Cursor versions prior to 2.5 and allows a sandbox escape through improperly protected .git configuration. According to Cursor’s advisory, a malicious agent, including one influenced through prompt injection, could write to Git settings such as hooks. Once triggered, those hooks could execute commands outside the sandbox without further user interaction because Git runs hooks automatically.
What Happened
Tracked as CVE-2026-26268 and mapped to CWE-862 for missing authorization, the vulnerability was disclosed in Cursor’s GitHub security advisory on February 13, 2026. The National Vulnerability Database describes the issue as a sandbox escape in Cursor before version 2.5, caused by the ability to write unsafe Git configuration, including Git hooks.
The assigned CVSS v3.1 vector is AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H, reflecting high impact across confidentiality, integrity, and availability once exploitation conditions are met. Cursor fixed the issue in version 2.5.
Novee Security’s research adds the operational shape of the attack: an attacker can prepare a malicious repository that appears legitimate, embed Git structures such as bare repositories and hooks, and rely on the AI agent’s automated Git activity to activate the chain. In the reported scenario, the agent’s normal interaction with the cloned repository, such as a checkout operation, can lead to attacker-controlled code execution on the developer’s machine.
Why This Stands Out
The dangerous part is not Git hooks by themselves. Git hooks are a long-standing feature. The risk emerges when an AI coding agent is allowed to reason over repository content, follow project instructions, manipulate files, and initiate Git operations inside a workspace that may be attacker-controlled.
That changes the trust boundary. A developer may believe they are reviewing code. The agent may believe it is completing a routine task. But the repository can carry instructions and Git metadata that shape the agent’s behavior and prepare execution paths the developer never explicitly approved.
This is why CVE-2026-26268 is more than a product bug. It is a warning about agentic development environments: automation can collapse the distance between “opened a repo” and “ran attacker code.”
The Attack Path
The exploit chain relies on a practical sequence defenders should understand:
An attacker prepares a repository with malicious Git configuration or embedded Git structures. A developer clones or opens the repository in Cursor. The AI agent interacts with the project and may be influenced by repository content or prompt-injection-style instructions. During routine Git activity, a hook is triggered. The hook executes outside the intended sandbox, giving the attacker code execution on the developer workstation.
From there, the value of the target is obvious. Developer systems often hold source code, local credentials, SSH keys, package registry tokens, cloud access tokens, internal documentation, build scripts, and access to private repositories. Compromising one workstation can become a bridge into the software supply chain.
Why Defenders Should Care
Traditional repository risk models focus heavily on dependencies, package manifests, and malicious code that gets built or installed. CVE-2026-26268 pushes attention lower, into development workflow mechanics: Git metadata, hooks, agent permissions, and automated tool execution.
That matters because AI coding tools are increasingly being granted permissions that resemble junior engineer access: reading source trees, editing files, running commands, invoking terminals, and changing repository state. When those tools process untrusted repositories, they become part of the attack surface.
For security teams, the practical exposure is not limited to Cursor. The broader issue is workspace trust. Any AI coding environment that can act on repository-local instructions, execute commands, or modify development state needs hard boundaries around untrusted code.
Recommended Actions
Cursor users should upgrade to version 2.5 or later immediately. Security teams should inventory developer workstations and confirm that vulnerable Cursor versions are not still in use, especially on systems with access to production repositories, CI/CD secrets, cloud credentials, or internal engineering tools.
Developers should avoid opening unfamiliar repositories in privileged workspaces. Treat cloned code as untrusted until reviewed, and pay special attention to hidden Git metadata, hooks, submodules, embedded repositories, and unexpected configuration files.
Engineering leaders should also review whether AI coding agents can run shell commands or Git operations automatically. Where possible, require explicit approval for tool execution, isolate analysis of unknown repositories in disposable environments, and prevent agents from accessing long-lived credentials unless strictly necessary.
Bigger Picture
CVE-2026-26268 sits inside a larger pattern: AI coding assistants are becoming execution-capable software agents, not just autocomplete tools. That gives them real productivity value, but it also makes prompt injection and workspace poisoning more consequential.
The uncomfortable lesson is that source repositories are no longer passive input. In an agentic IDE, a repository can become an instruction surface, a configuration surface, and an execution trigger. Security controls must move accordingly.
NeuraCyb's Assessment
The most important takeaway is not simply “patch Cursor.” It is that developer workstations are becoming high-value agent runtime environments. Once an AI assistant can act inside a repository, every file, hook, config, and project instruction becomes part of the control plane. Defenders who still treat cloned repositories as inert text are already behind the threat model.
References
Cursor GitHub Security Advisory: GHSA-8pcm-8jpx-hv8r
Novee Security: How an AI Coding Agent Can Run Exploits in Cursor IDE
CSO Online: Critical Cursor Bug Could Turn Routine Git Into RCE
