Popular AI Code Editor Cursor Has an Unpatched Flaw That Runs Malicious Files Automatically

A security firm disclosed the bug seven months ago. Cursor has still not patched it, leaving more than seven million developers exposed.

ThreatVectr Newsdesk· 3 min read
Photoreal news-editorial image of a darkened enterprise network operations center, glowing amber warning indicators reflecting off polished server racks, blurre
Share

Key points

  • Cursor, an AI-assisted code editor used by more than 7 million developers worldwide, contains an unpatched flaw that can run malicious software automatically when a user opens a project.
  • Security research firm Mindgard first reported the vulnerability to Cursor on December 15, 2025, and received no patch or public warning in the seven months that followed.
  • Exploitation requires no technical tricks: an attacker simply places a malicious file named git.exe inside a code repository, and Cursor runs it without asking the user's permission.
  • The flaw affects Cursor on Windows only.
  • Cursor's chief information security officer invited Mindgard into its bug bounty programme in January 2026, where the issue was confirmed as real, but no fix has followed.

Cursor is one of the most widely used AI-assisted development environments, meaning software that helps programmers write code faster using artificial intelligence. Its seven million active users are mostly software developers, and many work inside companies whose source code, customer data, and internal systems sit one project-open away.

The flaw, discovered and published by security research firm Mindgard, is almost embarrassingly simple. When a developer opens a project folder in Cursor on Windows, the editor automatically searches several locations for a program called git.exe, which is the standard tool used to track changes in code. One of the places it looks is the project folder itself. If an attacker has placed a fake, malicious git.exe in that folder, Cursor runs it. No warning appears. No permission is asked.

Mindgard put it bluntly in its write-up: no phishing, no memory corruption, no complex hacking chain required. A developer opens a folder. The malicious file runs.

How would an attacker get a fake file into a developer's project?

The most likely route is a poisoned repository. A repository, in plain terms, is a shared folder where a team stores and shares code, often hosted on platforms like GitHub. An attacker who can contribute to, or simply publish, a repository could hide a malicious git.exe inside it. Any developer who then opens that project in Cursor on Windows would trigger the attack automatically.

Open-source projects are a realistic vehicle. Developers routinely download and open repositories from strangers.

Mindgard reported the flaw to Cursor on December 15, 2025. Cursor's security chief directed the firm to its bug bounty programme on HackerOne (a platform companies use to receive and manage security reports) in January. The bug was resubmitted, confirmed as real and reproducible, and then, according to Mindgard, met with silence. SecurityWeek reported it contacted Cursor for comment and received no reply before publication.

Seven months is a long time. Mindgard chose to publish because, in its words, withholding the information at this point protects no one except the silence itself.

If you are a developer who uses Cursor on Windows, the practical step right now is straightforward: do not open project folders from sources you do not fully trust until Cursor releases a patch. Treat an unknown repository like a package from a stranger. Check whether Cursor has issued an update before opening new projects.

© 2026 Threat Vectr