Security researchers at Mindgard published a full disclosure today of an unpatched Cursor IDE RCE vulnerability — after seven months of near-silence from the vendor. The flaw is direct: on Windows, a malicious git.exe placed in any repository root gets executed automatically the moment a developer opens the project in Cursor. No click, no prompt, no warning. Your credentials, environment files, and source code are reachable the instant you open an untrusted repo.
What the Cursor IDE RCE Vulnerability Does
When Cursor loads a project on Windows, it searches for Git binaries across multiple paths — and the workspace root is one of them. That search order means any git.exe sitting in the repository root gets priority over the system Git installation. Cursor then invokes it repeatedly during normal IDE operation for routine commands like git rev-parse --show-toplevel, with no indication that anything unusual is happening.
According to the Mindgard full disclosure post, researchers put it plainly: “Cursor will execute it automatically. There are no clicks, prompts, approval dialogs, or warnings. The result is arbitrary code execution.” The execution runs under the developer’s own privilege level — sufficient to reach API keys, secrets in .env files, and everything else living in a typical dev environment.
The practical attack path is not exotic. A developer clones a repository from GitHub, receives a zip from a client, or opens code shared by a contractor. If git.exe exists in the project root, it runs automatically. No social engineering beyond getting a file into a repo someone might clone.
Seven Months, 70+ Versions, Still Unpatched
Mindgard reported this vulnerability on December 15, 2025. What followed was a disclosure process that illustrates exactly how coordinated vulnerability handling can break down completely. Cursor’s security team dismissed the initial report as out-of-scope, then reopened it after Mindgard challenged the closure with reproduction evidence — then went quiet. Multiple follow-up requests over the next several months received no meaningful response.
By June 1, 2026, Mindgard announced intent to publish publicly. Still no response from Cursor. By July 14, with 70+ new IDE versions shipped since the original report and the vulnerability confirmed present in v3.2.16 as recently as April 30, researchers published the full disclosure. No CVE has been assigned — almost certainly because the vendor never formally engaged with the report.
“Coordinated disclosure only works when there is coordination.” — Mindgard
When vendors stay silent, full disclosure becomes the only mechanism that actually protects users. Mindgard chose users over silence.
This Is Not DuneSlide — Know the Difference
If you updated to Cursor 3.0 after April’s DuneSlide disclosure, you are not protected from this. The two vulnerabilities are entirely separate issues:
- DuneSlide (CVE-2026-50548 and CVE-2026-50549): Zero-click sandbox escape via prompt injection through MCP servers or web search results. CVSS 9.8. Patched in Cursor 3.0, April 2, 2026. Cross-platform.
- Mindgard git.exe RCE (no CVE assigned): Triggered by opening a repository containing a malicious binary. Windows only. Not patched as of today. No official vendor response.
Updating to Cursor 3.0 or later addresses DuneSlide. It does not address this. Windows developers running any version of Cursor remain exposed at the application level until the vendor releases a fix.
What Windows Cursor Users Must Do Now
No application-level patch is available. Mitigation requires OS-level controls or workflow changes:
- Enterprise and managed environments: Deploy AppLocker or Windows App Control policies denying
.exeexecution from workspace directories. Path-based deny rules targeting%USERPROFILE%\source epos\*ilename.exeblock the automatic execution at the OS level. - Individual developers: Open untrusted repositories exclusively in isolated environments — Windows Sandbox, a VM, or a disposable container. Avoid relying on file hash blocklists; a recompiled binary circumvents them trivially.
- macOS and Linux users: This specific vulnerability does not affect your platform. However, ensure Cursor 3.0 or later is installed to address DuneSlide.
The Pattern Behind the Cursor Security Story
This is the fifth significant Cursor security disclosure in under twelve months. CurXecute (CVE-2025-54135), MCPoison (CVE-2025-54136), a Git hook injection CVE (CVE-2026-26268), DuneSlide, and now this unpatched git.exe RCE. The recurring pattern: AI coding assistants are granted enormous trust — filesystem access, shell execution, credential exposure — while security investment has not kept pace with that privilege or with user growth.
Moreover, broader research published in 2026 catalogued 30+ vulnerabilities across Copilot, Windsurf, and other AI coding tools following the same architecture: prompt injection reaching file writes reaching arbitrary code execution. ByteIota has previously covered AI code reviewer hijacking attacks and the SpaceX acquisition of Cursor — the security track record raises questions about what changes under new ownership, if anything.
The tools that most effectively assist developers are also the most attractive targets for anyone trying to reach developer machines, codebases, and the credentials stored inside them. Cursor has not publicly commented on the Mindgard disclosure as of publication. Whether this one receives the urgency it deserves is, at this point, an open question. Read the Hacker News discussion for the community’s unfiltered take.













