CVE-2026-26268 — Missing Authorization in Cursor

CWE-862 — Missing Authorization2 documents2 sources

Severity

9.9CRITICALNVD

EPSS

0.0%

top 87.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cursor Anysphere Cursor

Timeline

PublishedFeb 13

Description

Cursor is a code editor built for programming with AI. Sandbox escape via writing .git configuration was possible in versions prior to 2.5. A malicious agent (ie prompt injection) could write to improperly protected .git settings, including git hooks, which may cause out-of-sandbox RCE next time they are triggered. No user interaction was required as Git executes these commands automatically. Fixed in version 2.5.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 3.1 | Impact: 6.0

Affected Packages2 packages

▶CVEListV5cursor/cursor< 2.5

▶NVDanysphere/cursor< 2.5

🕵️Threat Intelligence

Wiz

CVE-2026-26268 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶