• 3 min read
Cursor flaw runs git.exe from project root on Windows
Mindgard says Cursor still auto-executes a repo’s malicious git.exe on Windows more than seven months after disclosure.

Image: Hacker News
A Windows zero-day in Cursor can trigger arbitrary code execution just by opening a repository, according to security firm Mindgard. The issue is simple: when Cursor loads a project, it looks for Git binaries in several places, including the workspace itself. If a repository contains a malicious git.exe in its root, Cursor executes it automatically with no prompt, no warning, and no user interaction.
Mindgard says it first identified the bug on December 15, 2025 and reported it the same day. More than seven months later, and after 197+ new versions, the firm says the flaw still exists in the latest version it tested. It last verified the behavior on April 30, 2026 against Cursor version 3.2.16 on Windows.
To demonstrate the issue, Mindgard used a harmless proof of concept: Windows Calculator renamed to git.exe and placed in the repository root. Opening that project in Cursor was enough to launch it. The firm says Cursor then kept re-executing the binary while the project remained open.
Mindgard included a Sysinternals Process Monitor log showing Cursor.exe creating git.exe with the command line git rev-parse --show-toplevel. In a real attack, the Calculator binary could be replaced with attacker-controlled code running under the current user’s privileges.

Recommended reading
Telegram’s t.me links return after sanctions hiccup
Timeline and vendor response
According to Mindgard, the disclosure process stalled repeatedly. After initial emails to the address listed in Cursor’s security.txt, the company’s CISO later said an internal automation failure had blocked the expected HackerOne workflow. Mindgard was invited into Cursor’s private bug bounty program and resubmitted the report on January 15, 2026.
The report was initially marked Informative and out of scope, then reopened on January 16, 2026 after reproduction. HackerOne confirmed delivery to Cursor on January 20, 2026, Mindgard said, but follow-up requests on February 16, March 3, April 1, and June 1, 2026 produced no meaningful update. The firm published its full disclosure on July 14, 2026.
Temporary mitigations for Windows users
Mindgard recommends different stopgaps depending on the environment:
- On enterprise or managed Windows systems, admins can use AppLocker or Windows App Control to block execution of the affected executable name from developer workspace directories.
- The firm recommends path-based deny rules scoped to repository or workspace roots, rather than hash-based rules, since attacker binaries can change.
- On consumer systems, it advises opening untrusted repositories only in an isolated VM, Windows Sandbox, or another disposable environment until Cursor ships a fix.
Mindgard frames the case as a breakdown in coordinated disclosure, arguing that users deserve to know when a straightforward, high-impact vulnerability remains unresolved while affected software continues shipping. With Cursor claiming 7 million+ active users, 1 million+ daily users, 1 million+ paying users, use by 50K+ companies, and a reported market price of $60 billion, the report raises a blunt question about how security issues are being handled at one of the biggest coding platforms on Windows.
Security Editor
Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.
via Hacker News


