cbcvebase.
CVE-2026-26268
published 2026-02-13

CVE-2026-26268: Cursor is a code editor built for programming with AI. Sandbox escape via writing .git configuration was possible in versions prior to 2.5. A malicious agent…

PriorityP260critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.49%
38.4th percentile
Cursor is a code editor built for programming with AI. Sandbox escape via writing .git configuration was possible in versions prior to 2.5. A malicious agent (ie prompt injection) could write to improperly protected .git settings, including git hooks, which may cause out-of-sandbox RCE next time they are triggered. No user interaction was required as Git executes these commands automatically. Fixed in version 2.5.

Affected

2 ranges
VendorProductVersion rangeFixed in
anyspherecursor< 2.52.5
cursorcursor< 2.52.5

Detection & IOCsextracted from sources · hover to see the quote

path.git
filenameAGENTS.md
commandgit checkout
  • Monitor for creation or modification of Git hook files (e.g., post-checkout, pre-commit) inside nested or bare repositories (.git directories) within project workspaces, especially when triggered by an AI agent process such as Cursor.
  • Alert on AGENTS.md files present in cloned repositories that contain instructions to navigate into bare/nested repositories and execute git operations — this is the delivery mechanism for the prompt injection attack chain.
  • Detect post-checkout or pre-commit Git hook execution spawned as a child process of the Cursor IDE process, particularly when the hook resides inside a nested bare repository rather than the top-level .git directory.
  • The attack requires no user interaction beyond opening the repository and issuing a routine prompt; detection should focus on process lineage: Cursor IDE → git → hook script execution.
  • ·The vulnerability is fixed in Cursor version 2.5; any deployment running versions prior to 2.5 is vulnerable. Upgrade is the primary mitigation.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.