CVE-2026-26268 - Cursor IDE Sandbox escape via Git hooks

Fixed in version 2.5

Sandbox escape via writing .git configuration was possible in versions prior to 2.5. A malicious agent (ie prompt injection) could write to improperly protected .git settings, including git hooks, which may cause out-of-sandbox RCE next time they are triggered. No user interaction was required as Git executes these commands automatically.

A high-severity arbitrary code execution vulnerability (CVE-2026-26268) was found in the Cursor AI-powered IDE. The exploit is enabled by a feature interaction in Git that is automatically triggered by the Cursor AI agent’s autonomous execution of Git operations. The vulnerability allows an attacker to execute code on a developer’s machine through the routine action of cloning a repository.

The vulnerability is not a flaw in Cursor’s core logic, but a consequence of a feature interaction in Git that is exploitable when an AI agent autonomously executes Git operations. The attack leverages two Git features:

• Git Hooks: Scripts that execute automatically on Git events (like pre-commit) and live in the .git directory.
• Bare repositories: Repositories that contain only version control data and can be embedded inside a larger repository.