Opening a repo with a malicious binary at its root triggers arbitrary code execution with no prompt, and Mindgard says Cursor still hasn't fixed it more than 197 releases later.
According to Mindgard, opening a project in Cursor on Windows can silently run attacker code: if a malicious file named git.exe sits at a repository's root, the AI coding editor executes it the moment the repo is opened — with no clicks, prompts, approval dialogs, or warnings.
The behavior traces to how Cursor resolves git. When it loads a project, Mindgard's disclosure says, it looks for git binaries across several locations, including the current workspace, so the planted file runs as part of that search — yielding arbitrary code execution under the current user's privileges.
The execution is not a one-off. While the project stays open, Cursor keeps re-invoking the binary, spawning fresh instances over time. To show it safely, Mindgard describes renaming Windows Calculator to git.exe and dropping it in a test repository's root; simply opening Cursor against that repo launched Calculator, and more windows kept appearing.
The bar to exploit is low. By Mindgard's account, no exploit chain, prompt injection, model manipulation, jailbreak, or memory corruption is needed — only that a developer open a project carrying a git.exe at its root.
Mindgard dates the find to December 15, 2025, reported to Cursor the same day and followed up on repeatedly. More than six months and over 197 Cursor releases later, the company says, the flaw is still present in the latest version it tested.
Mindgard also describes a stalled engagement. Cursor's CISO eventually acknowledged that an internal automation failure had blocked the expected HackerOne workflow and invited Mindgard into the company's private bug bounty. The resubmitted report was first closed as 'Informative' and marked out of scope; after Mindgard challenged that, HackerOne reopened it, reproduced the issue, and confirmed the details had reached Cursor. From there, the firm says, its requests for status updates, further follow-ups, escalation through HackerOne, and direct outreach to Cursor leadership all went unanswered.
With no patch available, Mindgard offers only interim steps. Administrators of managed Windows systems can use path-based AppLocker or Windows App Control deny rules scoped to workspace roots — not hash-based, since attacker-supplied binaries can carry varying hashes. Consumers, it advises, should open untrusted repositories only inside an isolated VM, Windows Sandbox, or another disposable environment until Cursor is fixed.