◆ NOISE IN → SIGNAL OUT◆ READALCHEMIST.COM◆ FREE / NO PAYWALL◆ NOISE IN → SIGNAL OUT◆ READALCHEMIST.COM◆ FREE / NO PAYWALL
THE DIGITAL ALCHEMIST
SecurityIMPACT 84

Seven Months, 197 Versions, One Unpatched RCE in Cursor

Mindgard reported a trivial git.exe exploit to Cursor in December. Cursor shipped release after release and said nothing. Public disclosure arrived. The patch followed within hours. The technical story is over. The trust story is just starting.

2026-07-154 MIN READ#Cursor · #Anysphere · #zero-day · #RCE · #developer-tools · #security-disclosure · #SpaceX · #AI-IDE
The Digital Alchemist
The Digital Alchemist

The proof-of-concept was Windows Calculator renamed to git.exe.

That is the whole exploit. Place that file in the root of a repository. Any developer who opens the repo in Cursor on Windows will execute it automatically, with no click, no prompt, no warning. Swap Calculator for a remote access trojan or ransomware binary and the attack is operational. Aaron Portnoy, Mindgard's chief product officer and first Pwn2Own organizer, called it exceptionally easy to exploit and said a threat actor would "definitely operationalize this" against a specific target.

Mindgard identified the vulnerability on December 15, 2025, reported it the same day, and reported it multiple times since. More than six months and 197 new Cursor versions later, the issue remained present in the latest tested version at disclosure.

That second sentence is the story.

The Disclosure Timeline
213Days vendorignored report197Cursor versionsshipped duringsilence24Hours to patchafter publicdisclosure5Minutes to fixper researcherestimate
Source: Mindgard disclosure report, July 2025

What Cursor Actually Did for Seven Months

Cursor's CISO eventually acknowledged an internal automation failure had prevented the HackerOne workflow from triggering. Mindgard was invited into the private bug bounty program, resubmitted the report, and the report was initially closed as Informative and out of scope. After Mindgard challenged that determination, HackerOne reopened it, reproduced the issue, and confirmed details had been delivered to Cursor.

Translation: the report landed, was read, was triaged as not their problem, and sat there while the product shipped nearly 200 releases.

Mindgard's disclosure statement was direct: "Seven months after initial disclosure, we have no indication that users are being protected, that remediation is underway, or that affected organizations have been informed." The firm concluded: "Withholding information no longer serves users, it serves silence." So they published full details.

A Cursor spokesperson told Dark Reading on July 13: "I can confirm we are addressing this and will get back to Mindgard accordingly."

The Digital Alchemist
The Digital Alchemist

The Actual Exposure

Before you rationalize this as a niche Windows problem: understand what sits on a developer machine running Cursor. AWS credentials. SSH keys. Internal repository access. Signing certificates. The OS-level code execution this bug enables is not access to a sandboxed process. It is access to all of that.

The vulnerability requires no prompt injection, model manipulation, jailbreaks, or memory corruption. Exploitation simply requires a developer to open a project containing a git.exe binary at repository root. A poisoned public repository on GitHub, cloned by anyone in an engineering organization, delivers the payload to every machine where someone opens it in Cursor. The IDE executes the malicious binary repeatedly on a cadence with no user interaction.

Portnoy said he could fix this vulnerability in "about five minutes by reverse engineering the one line change they need to make."

A one-line fix. Seven months.

Now stack that against what Cursor is: seven million-plus active users, one million daily actives, one million paying subscribers, used by more than 50,000 companies. Cursor's enterprise page claims 64 percent of Fortune 500 companies use the product. On June 16, SpaceX announced it will acquire Cursor's parent company Anysphere at a $60 billion valuation.

A $60 billion asset, en route to SpaceX, had a trivial unauthenticated RCE open for seven months because nobody treated the disclosure as urgent.

What This Costs Going Forward

The patch is out now. Update immediately and verify the version.

A CISO evaluating Cursor for enterprise rollout now has a documented, sourced, seven-month non-response to a critical RCE as a data point. As of May 2026, Cursor had no public bug bounty program, and Anysphere accepts vulnerability reports at a security email with a stated acknowledgement SLA of five business days. Five business days to acknowledge. Seven months to act.

Full disclosure just proved its case. The researchers published, the patch shipped within hours, and every vendor watching now knows the lever exists. Cursor got off relatively lightly: no confirmed exploitation, no breach, no customer notification required. The reputational cost is real but survivable.

What is not survivable is if the next one goes the same way.

What to watch: Whether Anysphere publishes a post-mortem explaining the seven-month delay. Whether a formal public security disclosure SLA appears in Cursor's documentation before the SpaceX acquisition closes. Whether other AI-first IDEs with similar Git path resolution logic get audited next, because this class of pre-trust execution bug is not unique to Cursor.

Sources
  1. Cursor 0day: When Full Disclosure Becomes the Only Protection Left
  2. Cursor IDE Auto-Executes Malicious Code in Poisoned Repos
  3. Critical Cursor AI IDE Flaws Could Lead to OS-Level Remote Code Execution
  4. Cursor (company) - Wikipedia
  5. Cursor Security: The 2026 Enterprise Hardening Guide
  6. Cursor 0day: When Full Disclosure Becomes the Only Protection Left | Hacker News
  7. Cursor IDE DuneSlide Flaws Enable Zero-Click Sandbox Escape and RCE | Mallory
  8. Cursor AI IDE vulnerability allows code execution via hidden Git hooks
  9. Cursor IDE's MCP Vulnerability - Check Point Research
  10. Critical Cursor Flaws Could Let Prompt Injection Escape Sandbox and Run Commands
  11. Cursor AI Code Editor Fixed Flaw Allowing Attackers to Run Commands via Prompt Injection
  12. CVE-2026-26268: How an AI Coding Agent Can Run Exploits in Cursor IDE
  13. Cursor AI Code Editor vulnerabilities CurXecute and MCPoison | Tenable®
  14. CVE-2025-64110: Cursor Information Disclosure Vulnerability
  15. CVE-2025-54136: Anysphere Cursor RCE Vulnerability
  16. CVE-2025-64107: Anysphere Cursor RCE Vulnerability
  17. CVE-2025-59944: Anysphere Cursor RCE Vulnerability
  18. Cursor patches DuneSlide flaws that enable zero-click RCE | AI Weekly
  19. Cursor AI Valuation Hits $60B: Anysphere's $2B Revenue Surge [2026]
  20. Cursor AI Statistics 2026: Users, Revenue and Adoption
  21. Cursor by Anysphere Revenue 2026: $4B Est. ARR
  22. How to Invest in Cursor AI Stock in 2026
  23. Cursor AI Valuation: $29.3B Series D, $2B ARR, and the Round-by-Round Math Behind Anysphere | Value Add VC
  24. Cursor Statistics 2026: Key Numbers, Data & Facts
  25. SpaceX buys Cursor-maker Anysphere for $60B in enterprise AI push: report — TFN
  26. Report: Cursor Business Breakdown & Founding Story | Contrary Research
  27. Cursor momentum builds with SpaceX $60B deal interest and advance $2B funding talks | PM Insights
← back to the feed
NVDA 210.96 ▲ 4.03%AAPL 315.32 ▼ 0.28%MSFT 385.10 ▲ 0.19%GOOGL 357.18 ▼ 0.48%AMZN 245.34 ▼ 0.69%META 669.21 ▲ 5.97%TSLA 407.76 ▲ 0.30%AMD 557.89 ▲ 2.04%AVGO 399.97 ▼ 0.28%PLTR 126.79 ▼ 1.74%COIN 159.07 ▲ 0.40%MSTR 94.64 ▲ 0.80%NVDA 210.96 ▲ 4.03%AAPL 315.32 ▼ 0.28%MSFT 385.10 ▲ 0.19%GOOGL 357.18 ▼ 0.48%AMZN 245.34 ▼ 0.69%META 669.21 ▲ 5.97%TSLA 407.76 ▲ 0.30%AMD 557.89 ▲ 2.04%AVGO 399.97 ▼ 0.28%PLTR 126.79 ▼ 1.74%COIN 159.07 ▲ 0.40%MSTR 94.64 ▲ 0.80%