Cursor CVE-2026-26268 — Critical Git Hook RCE Patched in 2.5

Security researchers at Novee on April 28, 2026 publicly disclosed CVE-2026-26268, a critical arbitrary-code-execution vulnerability in Cursor IDE that turns a routine git checkout into a remote-code-execution path. The flaw — initially scored 9.9/10 by NVD and re-scored 8.1 by SentinelOne's vulnerability database — affects every Cursor build before version 2.5, the patch that landed in February 2026 ahead of public disclosure.

What Happened

The bug lives at the intersection of three things: Cursor's autonomous AI agent, a long-standing Git feature called pre-commit hooks, and "bare" Git repositories that contain only metadata. An attacker constructs a project that nests a malicious bare repository inside a normal-looking parent repo and seeds the bare repo's hooks/ directory with a hostile pre-commit script. When a developer asks Cursor's agent to do anything that triggers a Git operation in that path — typically a checkout invoked indirectly by a high-level prompt like "fix the failing test" — Git silently runs the hook with the developer's privileges. No click-through, no warning prompt.

Crucially, the root cause is not a bug in Cursor's own code. It is a feature interaction: Git hooks were designed for trusted local repositories, but Cursor's agent autonomously executes Git operations against repositories it does not control. The same agent loop that makes Cursor productive is what makes the attack invisible.

Cursor IDE — the AI code editor affected by CVE-2026-26268 — Cursor's AI agent autonomously runs Git commands — the behavior that made CVE-2026-26268 exploitable.

Key Details

CVE ID: CVE-2026-26268. NVD severity 9.9/10 (Critical); SentinelOne lists it at CVSS 8.1 (High).
Affected versions: All Cursor releases prior to 2.5.
Patch shipped: February 2026, with hardening that blocks unauthorized writes to Git configuration and hook directories.
Disclosure: Coordinated disclosure under responsible-disclosure terms; public write-up by Novee on April 28, 2026.
Exploitation in the wild: None reported as of disclosure.
Trigger: Cloning or interacting with a malicious repository while running Cursor's AI agent — no user interaction beyond a normal prompt is required.

What Developers and Security Researchers Are Saying

Reaction across security press has been uniformly alarmed. CSO Online framed the bug as evidence that "agentic IDEs change the threat model" — autonomous tools execute privileged operations on data the developer never inspected. The Hacker News bundled the Cursor disclosure with a near-simultaneous CVSS-10 RCE in Google's Gemini CLI, calling AI coding tools "a new attack surface that the industry has not yet built mature defenses for." Pillar Security separately published research showing similar weaponization paths against GitHub Copilot, suggesting the class of attack is not Cursor-specific.

Developer sentiment on Hacker News and r/programming centered on two themes. First, surprise that Cursor's agent runs Git operations without a sandbox by default — several commenters noted they had assumed agent actions were containerized. Second, frustration at how routine the trigger is: "you don't have to do anything wrong to be exploited," one widely-upvoted comment summarized. Several developers reported pinning Cursor to 2.5+ in their team policies the same day disclosure dropped.

What This Means for Developers

If you use Cursor, the action is concrete and immediate. Update to Cursor 2.5 or later today — the fix has been available since February but only became urgent on April 28 when public proof-of-concept dropped. Verify your version under Cursor → Settings → About; teams running fleet management should push the upgrade through MDM. For repositories you do not fully trust (open issues, untriaged pull-request branches, third-party clones), avoid running agent prompts that touch Git until you have manually reviewed .git/hooks/ and verified there are no nested bare repositories.

The broader lesson is structural. AI coding agents collapse the boundary between "reading code" and "executing code." Anything an agent can autonomously run on your behalf becomes part of your trust boundary, including innocuous-looking version-control plumbing. Expect more CVEs of this shape across every agentic dev tool over the next year.

What's Next

Cursor's official advisory is in the changelog for version 2.5; the team has not yet detailed long-term sandbox plans for the agent's Git layer, but Novee's writeup suggests upstream Git itself may need configuration hardening — for example, refusing to execute hooks from nested bare repos by default. Meanwhile the broader agentic-IDE category — Copilot, Continue, Aider, JetBrains AI, and Windsurf — is now under researcher focus. Pillar Security's parallel disclosure indicates more findings are likely in the coming weeks.

Sources

Novee Security — CVE-2026-26268 technical writeup — primary disclosure with full proof-of-concept.
NVD — CVE-2026-26268 detail — official record and severity score.
CSO Online — Critical Cursor bug could turn routine Git into RCE
Hackread — Cursor AI IDE vulnerability allows code execution via hidden Git hooks
The Hacker News — Google Fixes CVSS 10 Gemini CLI RCE and Cursor Flaws
Pillar Security — New Vulnerability in GitHub Copilot and Cursor