Levkovich famous that the underlying Git conduct permitting the assault path is nicely documented, however what’s totally different right here is Cursor autonomously deciding to execute Git operations (working hooks) that in the end end in code execution.
The flaw is tracked as CVE-2026-26268, with a vital severity ranking of 9.9 out of 10 assigned by NVD, and impacts Cursor variations previous to 2.5. “Sandbox escape through writing .git configuration was attainable in variations previous to 2.5,” reads an NVD description of the flaw. “A malicious agent (i.e. immediate injection) might write to improperly protected .git settings, together with git hooks, which can trigger out-of-sandbox RCE subsequent time they’re triggered.”
Expanded assault floor with agentic IDEs
Novee warned that whereas conventional IDEs are passive, doing what builders explicitly inform them to do, Cursor’s AI agent interprets intent and autonomously decides which instructions to run, which incorporates Git operations. And that’s the place the issue lies.
