CVE-2026-26268 is a CVSS 8.1 high-severity vulnerability in the Cursor AI IDE that lets a malicious repository execute arbitrary code on a developer's machine the moment Cursor's agent performs a Git operation against it. There is no prompt injection, no user click, and no warning dialog. The agent's normal bootstrap flow is sufficient to trigger execution.
The bug is patched in Cursor 2.5. Every version prior to 2.5 is affected.
How the Mechanism Works
Cursor's agent operates with significant autonomy inside a workspace. When you open a new project, the agent indexes the codebase, summarizes structure, offers to set up the dev environment, and performs Git operations as part of that bootstrap.
The vulnerability allows a repository to ship a .git/hooks/ configuration containing arbitrary shell commands. Git hooks are scripts that Git executes at specific points in the workflow (pre-commit, post-checkout, post-merge, etc.). When Cursor's agent triggers any Git operation that fires one of these hooks, the hook script runs with the developer's process privileges.
Critically:
- No human typed git commit. The agent did.
- No trust dialog appeared. The hook ran during a normal agent operation.
- No prompt injection was needed. The agent was not subverted; it was performing its standard workflow.
How to Check if You Are Affected
1. Check your Cursor version
from inside Cursor: Help -> About
Or from terminal:
cursor --version
2. If output is < 2.5, you are running a vulnerable version.
If you have ever opened an unfamiliar repository in Cursor on a pre-2.5 version, treat the developer environment as potentially compromised. Specifically:
Audit Git hooks in any recently-opened workspace
cd /path/to/workspace
ls -la .git/hooks/
Anything not ending in .sample (the default Git template files) is custom.
Inspect the contents of every non-.sample file.
cat .git/hooks/post-checkout 2>/dev/null
cat .git/hooks/pre-commit 2>/dev/null
cat .git/hooks/post-merge 2>/dev/null
How to Fix
- Update Cursor to 2.5 or later. From inside Cursor, choose Help -> Check for Updates. The fix landed in version 2.5; every version before that is vulnerable.
- Audit any unfamiliar repos you opened on a pre-2.5 version. If you opened a repo from an unknown source while running 2.4 or earlier, inspect its .git/hooks/ directory for custom scripts before reopening it.
- Rotate credentials reachable from the developer environment if you have reason to believe a malicious workspace was opened. Session tokens, API keys, and any credentials cached in environment variables or local config files are in scope.
- For team installations, push Cursor 2.5 fleet-wide and confirm uptake through your MDM or distribution channel.
How Armor1 Detects This
Armor1's Client Catalog evaluates AI coding clients across 16 risk categories. Two of those categories are directly relevant to CVE-2026-26268:
- Script Hooks: measures whether the client runs hook scripts from workspace-controlled locations without independent user confirmation. Cursor versions before 2.5 surface as a high-risk posture in this category. The catalog reflects the structural feature, not just the disclosed CVE, which means similar vulnerabilities in the same class would surface even before they receive a CVE assignment.
- Execution Approval Controls: measures whether sensitive operations require user-visible approval before execution. An agent that performs Git operations on a fresh workspace without an approval gate is, by definition, exposed to this attack pattern.
For developer fleets running multiple AI IDEs, the catalog inventories every AI coding client in scope and tracks the version-to-risk mapping across the fleet.
Armor1's free public catalog covers the per-server MCP risk picture. The full agentic stack scan covers every app, MCP, tool, skill, and plugin across your environment.
Check the risk of any MCP server in your environment with Armor1's free public catalog
To cover every agentic app, MCP, tool, skill, and plugin across your stack, sign up free Here
Top comments (0)