Cursor AI IDE vulnerability allows code execution via hidden Git hooks

Summary

Researchers at Novee discovered a high-severity vulnerability (CVE-2026-26268, CVSS 8.1) in Cursor AI IDE that allows attackers to execute arbitrary code when developers clone repositories. The flaw exploits Git hooks hidden in nested bare repositories, which are automatically triggered by Cursor's autonomous AI agent without user interaction. The vulnerability was patched in February 2026 and publicly disclosed on April 28, 2026.

Full text

Security Artificial IntelligenceCursor AI IDE vulnerability allows code execution via hidden Git hooks Novee researchers find high-severity CVE-2026-26268 flaw in Cursor AI, allowing hackers to run malicious code when developers clone repositories. byDeeba AhmedApril 29, 20262 minute read Researchers from threat hunting firm Novee have found a security flaw in a popular AI-powered Integrated Development Environment (IDE) called Cursor. This high-severity arbitrary code execution vulnerability, tracked as CVE-2026-26268 (CVSS 8.1), allows hackers to take control of a programmer’s computer just by having them clone a project repository (downloading a copy of a project’s files and its entire history on your computer from a website like GitHub). How the Attack Works It must be noted that this issue isn’t caused by some bug in the Cursor code (core product logic) itself. It actually is caused by the way the AI tool interacts with Git, a popular and widely used software to track code changes. Usually, Git uses Git hooks, which are small scripts that run automatically during certain tasks. According to researchers, hackers can hide a malicious pre-commit hook inside a nested bare repository. This is a special folder that holds version control data without showing any actual files to the user. When the Cursor AI agent tries to do normal tasks like a git checkout, it accidentally triggers the hidden trap, leading to arbitrary code execution. This means the hacker’s code runs without any warning or pop-up asking for permission. It all happens so discreetly, mainly because of the Cursor Rules file that tells the AI what to do. Why AI Agents Are the Targets AI agents are changing the way scammers operate. In the past, a client-side attack usually required a person to click on a suspicious link at least once. Since the AI agent in Cursor can make its own choices and run system-level commands, it can be tricked into running malware while it thinks it is just helping the user, and this is “what makes this vulnerability exploitable at scale,” researchers noted. They further explained that the attack surface is growing because AI tools now work autonomously on untrusted code from the internet. So, when a developer clones a project from a public site, the AI will start working on it and activate the exploit immediately. Since this attack doesn’t involve social engineering or user interaction and just cloning a public repository, a routine task that AI agents now automate, the underlying environment becomes a serious security risk as these tools gain more autonomy. Attack method explained (Source: Novee) Fixing the Problem Following responsible disclosure principles, Novee researchers informed and collaborated with Cursor developers to fix the issue. The official fix was completed in February 2026, and the vulnerability details were disclosed on April 28th in a blog post and shared with Hackread.com. This discovery is a big deal because a developer’s computer usually holds sensitive private data, like access tokens, passwords, and secret company code. Therefore, Novee experts recommend that security teams must now audit AI coding assistants rather than just assuming they are safe. “The assumption is that the tools developers use to build software are themselves secure. That assumption is worth revisiting, especially when those tools are AI-powered agents, operating autonomously inside a developer’s local environment on code from any source on the internet,” researchers concluded. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts AICursor AICybersecurityGitHibVulnerability Leave a Reply Cancel reply View Comments (0) Related Posts News Hacking News Security Technology LastPass Security Breach – Hackers Steal Company’s Source Code In an advisory, password manager and vault app LastPass confirmed the stealing of its internal source code and technical documents. byDeeba Ahmed Security How To How Your Smartphone Can Be Used to Steal Your Data Our smartphones are home to some of the most sensitive data possible such as our passwords, photos, banking… byOwais Sultan Malware Security SnatchCrypto attack hits DeFi and Blockchain Platforms with backdoor Kaspersky researchers believe that North Korean government-backed hackers from the Lazarus Group are behind the SnatchCrypto attack. The… byWaqas Read More Security Artificial Intelligence AgentFlayer 0-click exploit abuses ChatGPT Connectors to Steal 3rd-party app data AgentFlayer is a critical vulnerability in ChatGPT Connectors. Learn how this zero-click attack uses indirect prompt injection to… byDeeba Ahmed

Indicators of Compromise

• cve — CVE-2026-26268

Entities