A zero-day vulnerability in Cursor IDE — the world’s most popular AI coding assistant, with 7 million active users across 50,000 companies — allows attackers to execute arbitrary code on a developer’s machine with zero interaction required. Opening a malicious repository is enough. Security firm Mindgard discovered and reported the flaw on December 15, 2025, but received no remediation or user notification for seven months before going public.
- Attack vector: Malicious
git.exein project root, auto-executed by Cursor on Windows when opening a repository - User interaction required: None — no clicks, no prompts, no approval dialogs
- Scope: Cursor IDE on Windows; 7M+ active users, 1M+ paying customers, 50K+ companies
- Disclosed by: Mindgard, December 15, 2025 — forced to go public July 14, 2026 after 210 days of silence
- Cursor’s response: “I can confirm we are addressing this and will get back to Mindgard accordingly.”
- No confirmed in-the-wild exploitation reported at time of publication
How the Attack Works — No Clicks, No Prompts, Full OS Access
Cursor’s AI agent, when opening a repository, executes tools it expects to find on the system — including git.exe. The flaw, as documented by Mindgard and reported by Dark Reading, is that Cursor searches for executables in the local project directory before checking the system PATH. An attacker who controls a repository can place a malicious git.exe at the root, and Cursor will execute it automatically — with full OS-level access — the moment a developer opens the project.
This is a prompt injection and sandbox escape in one. The AI agent trusts its environment implicitly: it cannot distinguish between the real system git.exe and a project-local impersonator. The fix requires Cursor to restrict executable lookups strictly to validated system PATH entries — which suggests this is a structural architectural change, not a one-line patch.
For developers on Windows: do not open any repository from an untrusted source in Cursor until a patch is confirmed. Check our full AI coding assistant comparison for security posture differences across tools.
Seven Months, Zero Response
The disclosure timeline is the part of this story that demands attention. Responsible disclosure norms — established by Google Project Zero — allow 90 days. Extended timelines for complex vulnerabilities go to 180 days. Mindgard waited 210 days. During that entire period, Cursor issued no patch and no communication to the 7 million developers using the product daily.
When Dark Reading reached out for comment ahead of the July 14, 2026 public disclosure, Cursor’s sole response was: “I can confirm we are addressing this and will get back to Mindgard accordingly.” That statement was issued after the seven-month window had already expired and full disclosure was already published. No CVE has been assigned at time of publication.
GhostApproval: The Broader AI Agent Security Problem
This disclosure arrives one week after the GhostApproval vulnerability was published — a separate flaw that affects Amazon Q, Claude Code, Cursor, and multiple other AI coding agents. GhostApproval exploits a different attack surface (agent approval flows) but represents the same root problem: AI coding agents run as trusted processes on developer machines, with access to files, environment variables, secrets, and network connections, and their security sandboxing has not kept pace with their adoption.
The pattern is now impossible to ignore. AI coding agents are executing code, reading secrets, and making network requests on behalf of developers at companies across the world — and their attack surfaces are only beginning to be formally audited. As we have covered, AI coding tools are operating at a level of system access that warrants the security scrutiny typically applied to operating systems and browsers, not productivity apps.
What Cursor Users Should Do Right Now
Until Cursor issues a confirmed patch, take these precautions:
- Do not open untrusted repositories in Cursor on Windows. Clone repos into an isolated environment first and inspect the root directory for unexpected executables before opening the project in Cursor.
- Check your project roots. If you have recently opened any repo from an unknown source, check for unexpected
.exefiles at the project root. - Monitor Cursor’s release notes for a patch addressing PATH resolution order. The fix should be explicit — not a vague “security improvements” entry.
Frequently Asked Questions
What is the Cursor 0day vulnerability?
The Cursor IDE zero-day, disclosed by Mindgard in July 2026, allows arbitrary code execution on Windows machines with zero user interaction. When Cursor opens a repository containing a malicious git.exe file in the project root, it executes that file automatically — giving attackers full OS-level access without any clicks, prompts, or warnings shown to the user.
Is the Cursor 0day being actively exploited?
No confirmed in-the-wild exploitation has been reported as of the date of this article (July 15, 2026). The vulnerability was disclosed via full public disclosure by Mindgard after 210 days of no response from Cursor. However, now that technical details are public, exploitation risk has increased — developers should apply mitigations immediately.
Am I affected if I use Cursor on macOS or Linux?
Based on Mindgard’s disclosure, the confirmed attack vector involves git.exe execution on Windows. macOS and Linux use different executable resolution patterns and are not confirmed to be affected by the same mechanism. However, given that the root cause is architectural (trusting local project executables), users on all platforms should exercise caution with untrusted repositories until a formal patch is issued.
What is GhostApproval and how is it related?
GhostApproval is a separate vulnerability — disclosed one week before the Cursor 0day — that affects multiple AI coding agents including Amazon Q, Claude Code, and Cursor. It exploits AI agent approval flows rather than executable resolution. The two vulnerabilities are distinct but point to the same industry-wide problem: AI coding agents lack rigorous security sandboxing relative to the level of system access they hold.
When will Cursor patch this vulnerability?
Cursor has not provided a public timeline for a patch. Their only statement, as reported by Dark Reading on July 13, 2026, was: “I can confirm we are addressing this.” Developers should monitor Cursor’s official release notes and changelog for a specific fix addressing PATH resolution order in how the agent resolves executable files.

