Security firm Mindgard discovered the vulnerability on December 15, 2025, and reported it to Cursor the same day. On July 14, 2026, after exhausting coordinated disclosure channels, Mindgard published full technical details. Cursor acknowledged the issue on July 13 but has not released a patch or provided a timeline for one.
How the Attack Works
The vulnerability exploits how Cursor searches for Git binaries when loading a project. The application checks multiple locations, including the workspace root directory itself. If an attacker places a malicious file named git.exe in a repository’s root, Cursor automatically executes it without prompts, warnings, or user approval.
This requires no social engineering, no clicks, and no special conditions. A developer simply clones a repository and opens it in Cursor. The malicious binary runs with the developer’s full privileges, gaining access to source code, SSH keys, and cloud credentials stored in their environment.
Mindgard demonstrated the flaw by renaming Windows Calculator to git.exe and placing it in a repository root. Opening that repository in Cursor executed the application instantly.
The Seven-Month Silence
The timeline reveals a breakdown in vendor communication:
- December 15, 2025: Mindgard reports the vulnerability to Cursor’s security contact
- January 15, 2026: Cursor’s CISO responds, citing a broken HackerOne automation error, and invites Mindgard to the bounty program
- January 20: HackerOne initially dismisses the report as “not applicable” but reverses course after Mindgard challenges the ruling
- February-April: Mindgard sends multiple status requests through HackerOne and direct outreach to leadership. No response
- June 1: Mindgard notifies Cursor of intent to publish the disclosure
- July 14: Mindgard publishes full details after no evidence of remediation
- July 13-15: Cursor tells Dark Reading it is “addressing” the issue; no patch released
Mindgard notes that Cursor shipped 197 new versions during this seven-month window, yet none addressed the vulnerability.
The technical fix is straightforward. Aaron Portnoy, Cursor’s chief product officer at Mindgard, told Dark Reading that the vulnerability would take approximately five minutes to patch by reverse engineering the one-line change required. The issue is not complexity but response. A critical execution flaw in a development environment with over 50,000 companies relying on it should trigger an emergency response, not silence.
The broader concern extends beyond this single vulnerability. As AI coding agents gain access to repositories, terminals, and credentials, slow triage pipelines create compounding risk. When a vendor fails to acknowledge a fully reproducible critical report for six months straight, the coordination gap becomes the real exposure.
What Windows Users Should Do Now
Until Cursor releases a patch, Mindgard recommends:
- For individual developers: Open only trusted repositories on your main system. For any unfamiliar code, use Windows Sandbox or a disposable virtual machine
- For enterprises: Deploy AppLocker or Windows App Control policies that deny execution of
git.exefrom workspace directories (for example:%USERPROFILE%\source\repos*\git.exe). Use path-based rules, not hash-based ones, since attackers can modify the binary’s hash - For security teams: Monitor active processes for unauthorized child processes and audit endpoints for execution from workspace directories
Do not rely on file hash blocklists. Attacker-supplied binaries will have different hashes with each deployment.
Platform Impact
This vulnerability affects only the Windows version of Cursor. Mac and Linux users are not exposed to the git.exe path resolution flaw. However, Mindgard’s research also highlights a broader pattern: the same class of vulnerability has appeared in other development tools when they search for binaries in user-controllable locations.
Whether Cursor ships a fix and publishes a security advisory will now signal how seriously AI coding vendors take triage pipelines at scale.
Follow Hashlytics on Bluesky, LinkedIn, Telegram and X to Get Instant Updates



