By A developer clones a repository. Cursor’s agent starts exploring the codebase — reading files, indexing structure, running a few git operations to understand the project. Within seconds, a hidden shell script fires with the developer’s full privileges. No dialog. No warning. No user action required after the initial clone. This is CVE-2026-26268, a CVSS 9.9 critical vulnerability affecting every version of Cursor before 2.5. If you haven’t updated, you’re still exposed.
What the CVE Actually Is
CVE-2026-26268 is a remote code execution vulnerability in Anysphere’s Cursor AI IDE, publicly disclosed on April 28, 2026, following responsible disclosure by Novee Security. The CVSS score sits at 8.1 (High) in the original advisory — NVD upgraded it to 9.9 (Critical). The discrepancy doesn’t matter much: both mean “drop what you’re doing and update.” Every Cursor release before version 2.5 is affected, which means versions going back through the entire 1.x line and all of 2.0 through 2.4.
How It Works: Git Hooks Meet AI Agent Autonomy
Git hooks are shell scripts that execute automatically when specific git events occur — a pre-commit hook runs before a commit, a post-checkout hook runs after a checkout. They live in .git/hooks/ and run with the full privileges of the user executing git. This is documented, expected behavior. The attack against Cursor weaponizes it.
An attacker creates a public repository with a hidden bare repository embedded inside it. Bare repositories contain only version control data — no working directory — and can live as a subdirectory inside an otherwise normal-looking repo. Inside that embedded bare repo sits a malicious pre-commit hook. Here’s the structure:
cool-library/
├── README.md ← looks legitimate
├── src/ ← real code
└── submodule/.git/ ← embedded bare repo
└── hooks/
└── pre-commit ← malicious scriptWithout an AI agent, this attack requires the developer to manually navigate into the subdirectory and run a hooked git command — unlikely by accident. With Cursor’s AI agent, the situation changes entirely. The agent’s standard bootstrap behavior includes running git operations to explore the repository structure. That process triggers the pre-commit hook automatically, without any additional user action. As Novee Security confirmed: there is no prompt injection, no user click, and no warning dialog — the agent’s normal bootstrap flow is sufficient to trigger execution.
What Gets Taken
Developer workstations are high-value targets precisely because of what lives on them. A working exploit for CVE-2026-26268 can read and exfiltrate anything the developer’s user account can access: ~/.env files, ~/.aws/credentials, ~/.ssh/ private keys, IDE-stored tokens for OpenAI, Anthropic, Stripe, GitHub, and every other service in the developer’s workflow. Add proprietary source code and internal database or CI/CD access. The 2025 GitGuardian report found 1.275 million AI-related secrets leaked — up 81% year over year — and developer machines are the primary source.
Fix It: Upgrade to Cursor 2.5 Now
The fix is straightforward: upgrade to Cursor 2.5. Check your current version via Help → About, or run:
cursor --versionIf the output is anything below 2.5.x, you are vulnerable. Update immediately through Cursor’s built-in update mechanism or download from cursor.com. Cursor 2.5 also patches four other CVEs in the same release: CVE-2025-64106 (CurXecute), CVE-2025-59944 (case-sensitivity bypass), MCPoison, and the .cursorignore bypass. The release ships sandbox network and filesystem controls — the most meaningful security infrastructure Cursor has released to date. If you manage a developer fleet, verify all workstations are on 2.5 before end of day.
The Broader Problem Is the Threat Model
CVE-2026-26268 represents something new: a CVE where the AI agent’s helpfulness is the attack vector. Cursor didn’t write buggy parsing code — it built an agent that autonomously explores codebases, exactly what users want. The problem is that autonomous exploration, in the context of git hooks, creates an execution path attackers can pre-position for. This threat model applies to every AI coding tool with agent capabilities. Windsurf, VS Code Copilot in agent mode, and any IDE that runs autonomous git operations in unfamiliar repos carries equivalent risk unless explicitly defended against.
Treat cloning an unknown repo with an active AI agent the way you’d treat running an install script from a stranger’s website. A throwaway VM or container for exploring untrusted code is no longer just paranoia — it’s the correct operational model. CVE-2026-26268 won’t be the last time an AI agent’s standard behavior becomes the attack surface. Patch first, rethink the trust model second.
