Image: Mindgard
The renowned cybersecurity firm Mindgard recently published an expose detailing a high-severity zero-day vulnerability harboring within Cursor, the prominent artificial intelligence coding assistant backed by SpaceX. Although initial notifications were dispatched to the developers on December 15, 2025, the flaw remains entirely unresolved. This stagnation persists despite seven months of continuous dialogue, a tumultuous routing through the HackerOne bug bounty program, and the release of over seventy software updates.
The Mechanics of Silent Exploitation
The mechanics of exploitation are alarmingly elementary. Primarily affecting Cursor for Windows, the flaw triggers when a developer opens a project directory. By default, the editor searches for Git executables across multiple pathways, erroneously including the active working directory. Because Git executables are typically excluded from project repositories, an adversary need only deposit a malicious git.exe at the root of a repository. Consequently, Cursor executes the file silently, dispensing with any confirmations, warnings, or dialogue prompts.
Mindgard attributes this exposure to flawed path resolution logic within the editor. Secure integrated development environments invariably prioritize trusted system directories or explicit developer configurations when invoking Git. Conversely, Cursor meticulously scans multiple environments, including the untrusted workspace itself.
Continuous Invocation and Supply Chain Risks
Furthermore, researchers observed that Cursor repeatedly searches for and invokes the Git executable throughout an active session. In a realistic threat scenario, an attacker could seamlessly disguise a backdoor binary as git.exe and plant it in a public repository. Once an unsuspecting developer clones the repository and opens the project, the payload triggers automatically. This vector is highly potent for open-source project poisoning or supply chain compromises, potentially enabling threat actors to compromise widely distributed software repositories.
A Breakdown in Coordinated Disclosure
Confronted with an unresponsive vendor, public disclosure became the sole recourse to protect developers. For a deeper understanding of this communication breakdown, readers can review Mindgard’s detailed narrative on this Cursor zero-day vulnerability. Mindgard initial warnings on December 15 and 18, 2025, met with complete silence. By January 2026, researchers bypassed traditional channels to engage Cursor’s security officers directly, discovering that an automated invite system for their private HackerOne program was broken.
Even after shifting the report to HackerOne, the disclosure path was heavily obstructed. Evaluators initially dismissed the ticket as “out of scope.” Following a formal dispute, HackerOne successfully reproduced the flaw and escalated it to Cursor. Regretfully, subsequent inquiries regarding remediation yielded no response, even after researchers escalated the issue directly to C-suite executives. Ultimately, Mindgard initiated the public disclosure countdown on June 1, culminating in a complete release on July 14, 2026.
Urgent Mitigation Recommendations
Mindgard emphasizes that the issue is no longer about the time required to develop a patch. Rather, the developer continues to distribute new iterations while neglecting to inform users of the underlying risks. To mitigate this hazard, Windows developers should refrain from opening untrusted codebases on local machines. Additionally, network administrators should deploy AppLocker or Windows Defender Application Control (WDAC) to restrict the execution of binaries from developer workspaces and download folders.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.