In a recent revelation, Cursor, a popular development tool, has come under scrutiny for a significant security vulnerability that allows arbitrary code execution simply by opening a project repository on Windows. The flaw, reported by AI security firm Mindgard, hinges on the presence of a file named git.exe in the project root. Upon opening the repository, Cursor automatically executes this binary without any user prompts or warnings, running it with the privileges of the logged-in user.
The mechanics of this exploit are straightforward: Cursor checks various locations for a Git binary when a project is loaded, including the workspace itself. This behavior mirrors the repository-root probing described in Microsoft’s Visual Studio Code documentation. While it remains unclear whether Cursor conducts this search independently or relies on Windows to locate an unqualified git, the implications are alarming.
Mindgard’s proof of concept demonstrated the vulnerability using a benign application, Windows Calculator, renamed to git.exe and placed in the project root. Once the repository was cloned and opened, multiple instances of Calculator began to launch automatically. This scenario highlights a critical concern: the ease with which an attacker could exploit this vulnerability by simply cloning a repository containing a malicious binary.
Despite the severity of the issue, Cursor has yet to release a patch or advisory. The timeline of events reveals that Mindgard first reported the flaw on December 15, 2025, but it took seven months for the full technical details to be made public. As of now, Cursor’s latest version, 3.11, released on July 10, 2026, still contains the vulnerability, according to Mindgard’s findings.
What to Do
With no patch currently available, users are advised to implement workarounds to mitigate the risk. For managed Windows environments, Mindgard recommends utilizing AppLocker or Windows App Control to create deny rules that block executables by name and path within workspace roots, such as %USERPROFILE%sourcerepos*filename.exe. This approach focuses on path rules rather than hashes, as the latter can vary with different attacker binaries.
For individual developers, it is prudent to open untrusted repositories within a disposable virtual machine or Windows Sandbox. Additionally, it is advisable to conduct thorough checks on cloned repositories or extracted archives before opening them. Files such as git.exe, npx.exe, node.exe, and where.exe should not be present in the project root.
Cursor’s security page states that the company acknowledges vulnerability reports within five business days. However, Mindgard experienced delays in communication, with Cursor’s first substantive response arriving a month after the initial report. Subsequent updates were met with silence, raising concerns about the responsiveness of Cursor’s security protocols.
The Same Bug, Three Other Vendors
This vulnerability is not unique to Cursor; other vendors have encountered similar issues. In June, Cymulate published findings revealing that several AI tools on Windows also resolve helper executables using the default search order, which prioritizes the working directory over trusted system paths. For instance, GitHub Copilot CLI and Gemini CLI both executed git.exe at startup, bypassing folder-trust prompts.
Despite the alarming nature of these findings, none of the vendors have released fixes as of Cymulate’s June report. GitHub acknowledged the issue but later downgraded its severity, while Google confirmed the validity of the Gemini CLI finding without issuing a patch. OpenAI dismissed the Codex report, arguing that if an attacker can replace git.exe, they already possess system access, which misses the essence of the reported scenario.
The underlying weakness—an untrusted search path—has persisted for years, with similar exploits documented in the past. The current situation underscores the necessity for developers to treat cloned repositories as potentially executable content, as the risk of arbitrary code execution remains a pressing concern in the evolving landscape of software development.