Cursor zero day hero image

Here's a security bug so simple it barely counts as research. Put a git.exe in a repository. Open that repo in Cursor on Windows. Cursor runs your binary. No prompt. No warning. No click required. That is the entire exploit chain.

Mindgard, an AI security firm, found this in December 2025. They reported it the same day. Seven months and 70-plus Cursor releases later, they went public with the details on July 14 because nobody at Cursor would tell them anything.

The bug lives in Cursor's Git discovery logic. When Cursor opens a project, it searches for Git binaries in several places. One of those places is the project directory itself. If it finds a git.exe there, it runs it. Mindgard proved the point by renaming Windows Calculator to git.exe, dropping it in a repo, and opening the project. Calculator popped up. Then another. Then more. Cursor kept re-executing the file during normal operation.

A real attacker would swap Calculator for a credential stealer, a ransomware dropper, or a backdoor. The result is arbitrary code execution at the user's privilege level with zero user interaction.

The seven month silence

Mindgard's Aaron Portnoy submitted the report to Cursor's security contact on December 15. No response. Follow ups went unanswered. He posted publicly on LinkedIn trying to find someone at Cursor who would talk. Eventually Cursor's CISO responded and said an internal automation failure had prevented the HackerOne workflow from triggering.

The report entered HackerOne's private program. Mindgard resubmitted. HackerOne reproduced the issue and confirmed delivery to Cursor on January 20. Then everything stopped. Portnoy sent update requests in February, March, April. Nothing. HackerOne confirmed Cursor was not responding. He escalated through HackerOne. No engagement. He reached out directly to Cursor leadership. Silence.

Meanwhile Cursor shipped 70 releases. New features, new announcements, a reported $60 billion valuation and $4 billion in annualized revenue. The vulnerability stayed in every one of those 70 builds. Portnoy's blog post points out that the PoC was tested against Cursor 3.2.16 on April 30 and it still worked. At some point this stops being a disclosure failure and starts being a choice.

Portnoy eventually told HackerOne in June he intended to go public. On July 14, 2026, Mindgard published full disclosure. A Cursor spokesperson told Dark Reading they "addressed the issue on July 13" and would contact Mindgard. As of publication, Cursor's website has no security notice or patched version number.

What this means for the disclosure pipeline

Cursor is not just another code editor. It has 7 million active users, a million daily active users, a million paying customers, and 50,000 companies using it. A $60 billion company left a trivial code execution vulnerability in its product for seven months while researchers begged for a response.

The coordinated disclosure mechanism works when both sides participate. When one side stops communicating, the whole thing breaks. Portnoy's question cuts to the bone: "What exactly is the security process for?" If a $60 billion IDE vendor with a bug bounty program, a security.txt file, and a CISO on staff cannot handle "git.exe runs from the repo root," then the pipeline is not just broken for this one bug. It is broken for everything.

This also raises uncomfortable questions about how Cursor got here. The company raised billions, acquired SpaceX assets, and reached a valuation that rivals established software giants. Yet its Git path resolution logic searches the workspace before checking system directories. That decision alone turned every repository into a potential attack vector, and it took a security firm seven months and a public shaming to get a response.

What to do right now

If you use Cursor on Windows, open untrusted repositories only in a virtual machine or Windows Sandbox. Enterprise administrators can use AppLocker or Windows App Control to block execution of git.exe from developer workspace directories. Do not rely on file hash blocklists. An attacker can change the hash by recompiling.

And if you are a security researcher watching Cursor's silence play out, consider what it means before sending your next vulnerability report their way.

Sources