Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1913+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Cursor Flaw Lets Malicious Cloned Repositories Trigger Windows Code Execution
Cursor Flaw Lets Malicious Cloned Repositories Trigger Windows Code Execution
NEWS

Cursor Flaw Lets Malicious Cloned Repositories Trigger Windows Code Execution

A design flaw in the Cursor AI code editor on Windows executes any file named git.exe found in the root of a cloned project directory — automatically, with no prompt or warning, simply by opening the repository. Malicious repositories can weaponize this to steal SSH keys, cloud tokens, and source code on first open.

Dylan H.

News Desk

July 15, 2026
5 min read

A significant design vulnerability in the Cursor AI code editor on Windows allows a malicious or compromised Git repository to achieve code execution the moment a developer opens it — no interaction, no confirmation dialog, no warning. The flaw was disclosed publicly on July 15, 2026, and targets developers who use Cursor to work with open-source projects or cloned repositories.

The Vulnerability

When Cursor is opened with a repository directory on Windows, it implicitly invokes git.exe to read repository state (branch information, git history, staging area, etc.). The critical flaw: Cursor does not enforce that git.exe must come from the system PATH or a trusted location — it resolves the binary name in the current working directory first.

This means: if a malicious repository contains a file named git.exe in its root directory, Cursor will execute that file when the repository is opened. The malicious binary:

  • Executes as the current user, with all their credentials and file system access
  • Requires no user interaction — just opening the folder is sufficient
  • Produces no visible warning in the Cursor UI
  • Is not blocked by Windows SmartScreen in this execution context if the file appears to be a Git executable

The researcher who discovered this described the attack path as "horrifyingly simple" — a single 64-byte Windows executable named git.exe dropped in the repo root is enough to compromise a developer's machine.

What an Attacker Can Steal in Seconds

When Cursor auto-executes a malicious git.exe, an attacker gains immediate access to everything the developer has access to:

TargetContents
~/.ssh/SSH private keys for GitHub, GitLab, deployment servers
~/.aws/credentialsAWS access keys and secret keys
~/.config/gcloud/Google Cloud credentials and service accounts
~/.kube/configKubernetes cluster credentials
Environment variablesAPI keys, tokens, database passwords in local environment
Local git configuration~/.gitconfig with stored tokens
Browser cookies/sessionsIf accessible to the user account
Source codeAll repositories on the developer's machine

A well-crafted payload could silently exfiltrate this data to an attacker-controlled endpoint in under a second — before the developer even sees the repository contents in the editor.

Attack Scenarios

Scenario 1: Malicious Open-Source Repository

An attacker creates or compromises an open-source package on GitHub, NPM, or PyPI and adds a git.exe to the repository root. When a developer clones the repo and opens it in Cursor on Windows, code executes immediately.

Scenario 2: Supply Chain Attack via Fork

An attacker forks a popular legitimate open-source project, adds the git.exe payload, and creates a pull request. Maintainers reviewing the PR locally in Cursor trigger execution.

Scenario 3: Social Engineering

An attacker sends a developer a link to a "public repository" or shares a zip archive of a "project" with the git.exe embedded. Opening in Cursor triggers the payload.

Scenario 4: CI/CD Pipeline Attack

CI/CD systems that clone repositories and run Cursor-based tooling (e.g., automated code review, IDE-based linting) on Windows agents could be targeted to compromise build infrastructure credentials.

Historical Context: Similar Path Hijacking Issues

This class of vulnerability — current-directory binary hijacking — has a long history on Windows, predating modern development tools. The Windows DLL search order and executable resolution order have historically resolved binaries from the current working directory before the system PATH, leading to numerous privilege escalation vulnerabilities over the years.

What makes this particularly concerning in the context of AI-powered code editors like Cursor:

  • Developers actively clone untrusted code — the core workflow of open-source development
  • AI editors operate with broad permissions — they read, index, and analyze entire directory trees on open
  • Trust is implicit — developers expect their editor to be safe to use with any repository

Similar issues have been identified in other developer tools, though the specific Cursor behavior appears to be a distinct code path.

Mitigation

For Developers (Immediate)

  1. Update Cursor — check for a patched version; Cursor's team was notified and a fix is expected imminently
  2. Avoid opening untrusted repositories in Cursor on Windows until a patch is confirmed
  3. Inspect repositories before opening: dir /b git.exe or ls git.exe in the repository root before loading in any editor
  4. Use a sandboxed environment for evaluating untrusted code (VM, container, or Windows Sandbox)

For Cursor Users Generally

# Quick check before opening any cloned repo in Cursor on Windows
# Run in the cloned repo directory:
Get-ChildItem -Name "git.exe" -Recurse | Select-Object -First 10
# If git.exe appears in any directory OTHER than C:\Program Files\Git\, investigate before opening

For Organizations

  • Block untrusted repository access on developer workstations via endpoint policy where feasible
  • Monitor for unexpected process spawning from Cursor's parent process tree
  • Credential rotation policy: If developers may have opened untrusted repos in Cursor on Windows recently, consider rotating SSH keys, cloud credentials, and API tokens as a precaution

Why AI Code Editors Are High-Value Targets

Cursor, GitHub Copilot (VS Code), Windsurf, and other AI-powered editors have become central to developer workflows — they have deep integration with git, cloud providers, and CI/CD systems. A compromise of a developer's AI editor instance can yield:

  • Complete source code access for all active projects
  • Cloud credentials with production access
  • Supply chain attack capability — the ability to commit malicious code to repositories the developer has push access to
  • Pipeline secrets from .env files, docker-compose.yml, and CI configuration files

Developer workstations are increasingly recognized as among the highest-value targets in the attack surface for supply chain compromise. This Cursor vulnerability is a concrete example of why the attack surface of AI-integrated developer tools warrants serious scrutiny.


Source: The Hacker News

#Windows#Cursor#RCE#AI Code Editor#Supply Chain#Developer Security#Cloud Security

Related Articles

2-Click Cursor Exploit Enables Dev Environment Takeover

DeepJack: two clicks in Cursor IDE silently installs a malicious MCP server with full user privileges, stealing source code and secrets. Unpatched in July 2026.

5 min read

'Ghostcommit' Hides Prompt Injection in Images to Fool AI Agents and Steal Secrets

Security researchers have demonstrated 'Ghostcommit,' a technique that embeds prompt injection payloads inside PNG images to bypass AI code review tools...

4 min read

Public PoC Released for Critical libssh2 CVE-2026-55200 Client-Side SSH Flaw

A heap overflow in libssh2's transport layer allows a malicious SSH server to achieve pre-authentication RCE against any connecting client. All versions...

3 min read
Back to all News