Particle.news

Cursor Bug Lets Repo-Placed git.exe Run Automatically on Windows

The flaw allows a malicious binary in a project folder to execute as the logged-in developer, forcing users to rely on host controls or isolated environments until vendors produce fixes.

Overview

  • Researchers disclosed that opening a repository in Cursor on Windows can cause Cursor to run a git.exe placed in the repo root, which then executes with the user’s privileges.
  • Mindgard says it privately reported the issue to Cursor on December 15, 2025 and published full technical details after HackerOne reproduced and confirmed the report; Mindgard publicly disclosed the flaw on July 15, 2026.
  • The underlying cause is a long‑standing Windows 'untrusted search path' behavior where tools probe for helper executables in the workspace before trusted system locations and thus run repo binaries without prompting.
  • Vendor responses have been inconsistent: some vendors closed or down‑rated similar reports while others acknowledged the class of flaw, and as of mid‑July 2026 no broad cross‑vendor fixes had been widely deployed.
  • Researchers recommend immediate mitigations such as AppLocker or Windows App Control path rules, EDR parent-aware policies, and opening untrusted repositories in disposable VMs or Windows Sandbox to protect keys and credentials.