Researchers from threat hunting firm Novee have found a security flaw in a popular AI-powered Integrated Development Environment (IDE) called Cursor. This high-severity arbitrary code execution vulnerability, tracked as CVE-2026-26268 (CVSS 8.1), allows hackers to take control of a programmer’s computer just by having them clone a project repository (downloading a copy of a project’s files and its entire history on your computer from a website like GitHub).
How the Attack Works
It must be noted that this issue isn’t caused by some bug in the Cursor code (core product logic) itself. It actually is caused by the way the AI tool interacts with Git, a popular and widely used software to track code changes.
Usually, Git uses Git hooks, which are small scripts that run automatically during certain tasks. According to researchers, hackers can hide a malicious pre-commit hook inside a nested bare repository. This is a special folder that holds version control data without showing any actual files to the user.
When the Cursor AI agent tries to do normal tasks like a git checkout, it accidentally triggers the hidden trap, leading to arbitrary code execution. This means the hacker’s code runs without any warning or pop-up asking for permission. It all happens so discreetly, mainly because of the Cursor Rules file that tells the AI what to do.
Why AI Agents Are the Targets
AI agents are changing the way scammers operate. In the past, a client-side attack usually required a person to click on a suspicious link at least once. Since the AI agent in Cursor can make its own choices and run system-level commands, it can be tricked into running malware while it thinks it is just helping the user, and this is “what makes this vulnerability exploitable at scale,” researchers noted.
They further explained that the attack surface is growing because AI tools now work autonomously on untrusted code from the internet. So, when a developer clones a project from a public site, the AI will start working on it and activate the exploit immediately.
Since this attack doesn’t involve social engineering or user interaction and just cloning a public repository, a routine task that AI agents now automate, the underlying environment becomes a serious security risk as these tools gain more autonomy.
Fixing the Problem
Following responsible disclosure principles, Novee researchers informed and collaborated with Cursor developers to fix the issue. The official fix was completed in February 2026, and the vulnerability details were disclosed on April 28th in a blog post and shared with Hackread.com.
This discovery is a big deal because a developer’s computer usually holds sensitive private data, like access tokens, passwords, and secret company code. Therefore, Novee experts recommend that security teams must now audit AI coding assistants rather than just assuming they are safe.
“The assumption is that the tools developers use to build software are themselves secure. That assumption is worth revisiting, especially when those tools are AI-powered agents, operating autonomously inside a developer’s local environment on code from any source on the internet,” researchers concluded.
