Cursor 0day: When Full Disclosure Becomes the Only Protection Left
Synthetic7346
310 points
146 comments
July 14, 2026
Related Discussions
Found 5 related stories in 876.2ms across 14,015 title embeddings via pgvector HNSW
- The zero-days are numbered mccr8 · 31 pts · April 21, 2026 · 55% similar
- Safeguarding cryptocurrency by disclosing quantum vulnerabilities responsibly madars · 30 pts · March 31, 2026 · 55% similar
- 1k Data Breaches Later, the Disclosure Lag Is Worse 882542F3884314B · 52 pts · June 08, 2026 · 55% similar
- Follow-up to Carrot disclosure: Forgejo homebrewer · 57 pts · April 30, 2026 · 50% similar
- Privacy Is Not Dead: Beware the All-or-Nothing Mindset Cider9986 · 11 pts · June 04, 2026 · 49% similar
Discussion Highlights (20 comments)
aliasxneo
I'm struggling to understand the process that went into this "feature" existing. It seems the most likely candidate is a developer's git started malfunctioning and an agent "fixed" it by dropping a `git.exe` in the repo and then conditionally calling it when it exists.
nubg
> Most coordinated disclosures follow a familiar pattern: > 1. A vulnerability is reported. > 2. A dialogue begins. > 3. Severity is discussed. > 4. Engineering teams investigate. > 5. Fixes are developed. > 6. Users are protected. > 7. Public disclosure follows. 8. The author prompts an LLM to write a blog post. 9. HN users are wasting time, unsure which parts of the post come from the actual prompt, and which are hallucinated world knowledge slop.
nosefrog
Would be nice if the timeline matched up with the text of the blog post (missing "HackerOne provides disclosure guidance").
ajhenrydev
This report reads a bit like AI writing :/ You need to have an already malicious payload on your pc to make this exploit work (via clone/download/magic). I can understand the severity of the exploit but at the same time I’d hope to not have to run into this situation for it to happen in the first place
minraws
Why is cursor subsequently executing anything? Like what is this black magic they want to do? I want to know the decision tree here? Was this cursor coded? I do not understand the point, btw vim has had similar issues with it executing stuff you might not expect by loading a file but it was obviously a vim feature with %{expr}. But why specifically git.exe , this seems like the most redundant bug cve which could have been trivially patched, who does this feature help exactly? I am not really a user of cursor never used it for even a single day, but at this point I am curious why this exists...
Illniyar
It's pretty weird for cursor to run arbitrary exe file without prompting, and alarming that the researchers did not get a proper response for months. But the example with calculator is a bit misleading I think, you'll have to have a malicious exe already in the system and downloaded, and if cursor tried to run my understanding is that ACL should immediately kick in and you'll be asked for permission to run a new, unsigned app for the first time. You'll have to have ACL disabled completely for this to be exploitable.
chrisjj
> Until the IDE is patched, open untrusted repositories only in an isolated VM, Windows Sandbox, or other disposable environment. Got to wonder why trusted repositories are excluded...
chrisjj
> The most obvious question is also the simplest: Why hasn't this been fixed? Obvious answer is obvious. The devs do not consider it a bug.
firer
All too common... It's sad yet understandable how a company would not prioritize security. At the same time, it's also understandable how a security start-up, upon (rightly) getting fed up waiting, decide to publicly disclose, as a way to scrape some PR out of the sunk cost. Public disclosure has a place. But if you truly care about helping, you could do more than bumping on HackerOne and messaging the CISO once on LinkedIn. Maybe I'm too cynical but it truly feels like nobody actually cares at this point.
dclowd9901
This draws to mind the dialog that opens when you open a new project in Cursor (and VSCode too, I think), where the IDE asks the user if they trust the project they're opening. Is Cursor under the impression that this is sufficient security apparatus?
vanyaland
Does the git lookup run before the trust check, or ignore it?
827a
Frankly, if you git clone a compromised repository, I'm not sure that a vulnerability of the class "compromised code in that repository will be executed" is all that major a concern. There are plenty of IDEs that will go autonomously run npm installs (with post-install scripts) for you when they detect a package.json. This isn't all that different than that. They could throw up a warning like "do you trust this repository" oh wait they already do, and no one cares. Security is hard. Ultimately if you have compromised code on your machine, all bets are off.
awongh
I guess this is only specific to a file in the root of the repo, so it doesn't allow for an NPM supply chain attack?
jjcm
I'm not sure I fully agree with this being a major vuln. There's a lot of up front scary text which was raising a lot of red flags until it actually discussed the "what". An actor has to place a malicious .exe in the user's code folder, named git.exe, for this to take place. I see this akin to something like saying "replacing their .bashrc with an alias that says `ls` instead executes `/tmp/mega-big-virus.sh` is a vuln". Yes it's a vector, but if they've placed something in your filesystem like that already, you've already been compromised.
aniceperson
damn those ai written Blogs are tiring. o a single paragraph saying that "cursor o windows loads ./git.exe with higher precedence" would be enough.
bragr
I think this is slightly less of a Cursor bug than a bit of a Windows quirk: Windows searches the current working directory for executables before resorting to the path variable. I imagine a lot of stuff is vulnerable to such an "attack" on Windows.
wxw
> The vulnerability was first identified by Mindgard on December 15, 2025. We reported it the same day and multiple times since. More than six months and 197+ new versions later, the issue remains present in the latest tested version of Cursor. > The report was initially closed as Informative and out of scope. After we challenged that determination, HackerOne reopened the report, reproduced the issue, and confirmed that the details had been delivered to Cursor. And then everything stopped. Requests for updates went unanswered, additional follow-ups received no response, escalation through HackerOne produced no meaningful engagement, and direct outreach to Cursor leadership yielded the same result: no response. Really unfortunate. I don't understand why there's such a lack of response on the Cursor side.
hmokiguess
The 0 day vulnerability is actually a developer is using Windows
imglorp
This is exactly why Unix PATH (and offspring) does not contain "." by default. If you unpack an untrusted archive and run "ls" you could get popped. Agents should be no different.
paxys
Clone a repo and run "npm install" and the exact same thing will happen. You can say "oh I would never run npm install on a repo I don't trust"...but then why are you cloning it and opening it in an IDE in the first place? Especially an IDE whose entire purpose is to run autonomous coding agents?