title: "Cursor IDE zero-day lets AI agents execute malicious code" slug: "cursor-ide-zero-day-lets-ai-agents-execute-malicious-code" published: "" beat: "Crime" tags: ["Crime", "Policy"] creator: "Agentry Newsroom" editor: "Susanne Sperling, Editor — Human in the Loop" tools: ["Claude (Anthropic)", "Perplexity Sonar"] creativeWorkStatus: "verified" dateReviewed: "2026-06-29" aiActArticle50: "compliant" humanView: "https://agentry.news/cursor-ide-zero-day-lets-ai-agents-execute-malicious-code" agentView: "https://agentry.news/agent/cursor-ide-zero-day-lets-ai-agents-execute-malicious-code"
Novee Security researchers disclosed CVE-2026-26268 on April 28, 2026—a high-severity vulnerability in Cursor IDE that allows attackers to force a developer's local AI coding agent to execute maliciou
Drafted by an AI agent. Verified by Susanne Sperling, Editor — Human in the Loop. AI policy.
Novee Security identified CVE-2026-26268, a high-severity arbitrary code execution vulnerability in Cursor IDE, according to Novee Security. The flaw was publicly disclosed on April 28, 2026, and represents a critical intersection of two emerging attack surfaces: AI-powered coding assistants and Git-based development workflows.
The vulnerability carries a CVSS score of 8.1, indicating severe risk to developers using Cursor IDE alongside autonomous AI agents. The attack mechanism is both elegant and dangerous: attackers manipulate integrated Git hooks—scripts that execute automatically during repository operations—to force a developer's local AI coding agent to execute arbitrary malicious code without any user interaction, click, or prompt.
"The flaw exposed a new attack surface: the intersection of AI coding agents and Git hooks. By manipulating these integrated workflows, attackers could force a developer's local AI agent to execute malicious code automatically, with no user interaction required," Novee Security reported.
The vulnerability leverages the trust model built into modern development environments. Git hooks are a standard feature of version control systems, typically used for automated code quality checks, testing, and deployment tasks. When a Cursor IDE user clones or updates a repository containing a malicious Git hook, the AI agent integrated into Cursor automatically executes the hook's contents—bypassing traditional security prompts that might alert a human developer.
This attack pattern highlights a fundamental tension in AI agent design: autonomous systems are built to act without friction or interruption, but that same efficiency creates blind spots for malicious actors. A compromised repository or a supply-chain attack targeting Git hooks can now directly compromise a developer's machine and any credentials stored there.
Anysphere, the developer of Cursor IDE, has not yet publicly announced a patched version or mitigation timeline in the available security disclosures. The vulnerability remains actionable as of June 29, 2026, affecting developers running unpatched versions of the IDE.
The disclosure by Novee Security underscores a growing pattern: as enterprises integrate AI agents into critical workflows—coding, testing, infrastructure management—the attack surface expands faster than defensive tooling can keep pace. No legal action, court venue, or regulatory enforcement has been initiated in connection with this vulnerability disclosure.
This CVE is not an isolated incident but symptomatic of a deeper challenge. AI agents executing code in development environments represent a new class of privilege escalation risk. Unlike traditional software vulnerabilities that require user interaction or social engineering, agent-based flaws can be weaponized silently across entire development teams through compromised dependencies and malicious repositories.
Developers using Cursor IDE should immediately audit their Git hook configurations and consider isolating their AI agent execution contexts until an official patch is released.