{"id":22164,"date":"2026-07-15T14:56:40","date_gmt":"2026-07-15T14:56:40","guid":{"rendered":"https:\/\/www.securitytoday.de\/2026\/07\/15\/cursor-launches-git-exe-from-repo-root-windows\/"},"modified":"2026-07-15T14:56:40","modified_gmt":"2026-07-15T14:56:40","slug":"cursor-launches-git-exe-from-repo-root-windows","status":"publish","type":"post","link":"https:\/\/www.securitytoday.de\/en\/2026\/07\/15\/cursor-launches-git-exe-from-repo-root-windows\/","title":{"rendered":"Cursor Launches git.exe from Repository Root on Windows"},"content":{"rendered":"<p style=\"color:#69d8ed;font-weight:700;font-size:0.9em;letter-spacing:0.04em;margin:0 0 16px 0;\">8 Min. Read time<\/p>\n<p><strong>Mindgard describes a simple, serious flaw in Cursor on Windows: If a file named git.exe resides in the project root, the IDE launches it when opening the repo without prompting or warning, with the developer&#8217;s privileges. Disclosure since December 2025, public Full Disclosure on 14. July 2026, according to research still unpatched.<\/strong><\/p>\n<div style=\"background:#003340;color:#fff;padding:32px 36px;margin:32px 0;border-radius:8px;\">\n<p style=\"margin:0 0 18px 0;font-size:0.95em;font-weight:800;text-transform:uppercase;color:#69d8ed;border-bottom:2px solid rgba(105,216,237,0.25);padding-bottom:12px;\">Key Takeaways<\/p>\n<ul style=\"margin:0;padding-left:22px;color:rgba(255,255,255,0.92);line-height:1.6;\">\n<li style=\"margin-bottom:12px;\"><strong style=\"color:#69d8ed;\">No click needed.<\/strong> Opening a repo is enough if git.exe is in the root.<\/li>\n<li style=\"margin-bottom:12px;\"><strong style=\"color:#69d8ed;\">Months without fix.<\/strong> Report 15.12.2025, Full Disclosure 14. July 2026, 197+ versions later according to Mindgard still present.<\/li>\n<li style=\"margin-bottom:12px;\"><strong style=\"color:#69d8ed;\">Shadow-IT risk.<\/strong> AI IDEs should be included in software BOMs and whitelists.<\/li>\n<li><strong style=\"color:#69d8ed;\">Mitigation now.<\/strong> AppLocker\/App Control against Workspace executables; untrusted repos only in sandbox or VM.<\/li>\n<\/ul>\n<\/div>\n<p style=\"font-size:0.88em;color:#a8a59c;margin:20px 0 32px 0;border-top:1px solid rgba(105,216,237,0.18);border-bottom:1px solid rgba(105,216,237,0.18);padding:10px 0;\"><span style=\"font-family:monospace;color:#69d8ed;font-weight:700;text-transform:uppercase;font-size:0.72em;letter-spacing:0.14em;margin-right:14px;\">Related:<\/span><a href=\"https:\/\/www.securitytoday.de\/2026\/05\/25\/trapdoor-supply-chain-npm-pypi-crates-ci-cd-checks-2026\/\" style=\"color:#e6e3da;text-decoration:underline;\">TrapDoor Supply-Chain on npm\/PyPI<\/a>&nbsp;&nbsp;<span style=\"color:#555;\">\/<\/span>&nbsp;&nbsp;<a href=\"https:\/\/www.securitytoday.de\/2026\/05\/03\/source-code-breaches-wenn-angreifer-den-security-vendor-vor-dem-patch-kennen\/\" style=\"color:#e6e3da;text-decoration:underline;\">Source Code Leaks and Patch Bypass<\/a><\/p>\n<h2 style=\"margin-top:64px;margin-bottom:20px;padding-top:16px;\">The Bug in a Paragraph<\/h2>\n<p><strong>What is the Cursor-git.exe Bug?<\/strong> When loading a project, Cursor searches for Git binaries in multiple locations, including the workspace. A git.exe placed in the repository root is executed as part of the path resolution. Process-monitor traces show Cursor.exe launching git rev-parse &#8211;show-toplevel with the workspace binary. Mindgard\u2019s PoC exploits Windows machines that rename calc.exe to git.exe. The calculator starts and respawns while running.<\/p>\n<div data-element=\"definition_box\" style=\"background:#23261f;border:1px solid rgba(105,216,237,0.22);border-radius:10px;padding:20px 24px;margin:32px 0;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 2px 10px rgba(0,0,0,0.22);\">\n<p style=\"margin:0 0 8px;font-family:'IBM Plex Mono',ui-monospace,SFMono-Regular,monospace;font-size:0.72em;letter-spacing:0.12em;text-transform:uppercase;color:#69d8ed;\">Definition \u00b7 Binary Planting in the IDE<\/p>\n<p style=\"margin:0;color:#e6e3da;line-height:1.6;\">The Integrated Development Environment (IDE) also searches for tool binaries within the workspace. A compromised repository supplies git.exe in the root. When opened, the IDE launches the attacker\u2019s code in the developer\u2019s user context.<\/p>\n<\/div>\n<p>No prompt injection, no model jailbreak. Binary planting in the workspace. For attackers, a single compromised repository suffices: clone it, open it in Cursor, and the code runs in the developer\u2019s user context. Often granting access to tokens, SSH keys, and internal packages.<\/p>\n<h2 style=\"margin-top:64px;margin-bottom:20px;padding-top:16px;\">Timeline and Vendor Silence<\/h2>\n<p>Mindgard reported on 15. December 2025 to security-reports@cursor.com. Via HackerOne and the CISO channel, confirmation and reproduction were obtained, after which, according to the research, there was long silence. On 14. July 2026, full disclosure followed because coordinated remediation did not occur. As of the research publication: no patch, no public advisory from the vendor.<\/p>\n<p>For CISOs, this is the second finding besides the bug: vendor SLA and disclosure hygiene belong in the evaluation of AI coding tools. Productivity alone is not a trust argument. Cursor is shadow IT in many engineering organizations. The fix horizon is unknown.<\/p>\n<h2 style=\"margin-top:64px;margin-bottom:20px;padding-top:16px;\">What Companies Must Do Until the Fix<\/h2>\n<p>Until a vendor fix takes effect, the mitigation stays in place: inventory Cursor users on Windows, enforce policies for untrusted repositories, and deploy endpoint controls that block malicious workspace executables. This checklist represents the baseline security requirements for chief information security officers (CISOs) and engineering leads.<\/p>\n<div data-element=\"checklist\" style=\"background:#23261f;border:1px solid rgba(105,216,237,0.22);border-radius:10px;padding:22px 24px;margin:32px 0;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 2px 10px rgba(0,0,0,0.22);\">\n<p style=\"margin:0 0 12px;font-family:'IBM Plex Mono',ui-monospace,SFMono-Regular,monospace;font-size:0.72em;letter-spacing:0.12em;text-transform:uppercase;color:#69d8ed;\">Secure Cursor on Windows<\/p>\n<ul style=\"margin:0;padding-left:0;list-style:none;\">\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Inventory: Which teams use Cursor on Windows (license, MDM, downloads)?<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Policy: Do not open untrusted repositories in the production IDE; use only a VM or sandbox<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>App Control: Block execution of executables from developer workspace paths<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>EDR: Alert when Cursor.exe spawns unexpected child processes from repository paths<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Software-BOM: Treat AI IDEs like any build tool, with owner, version, and exit criteria<\/li>\n<\/ul>\n<\/div>\n<p>AppLocker or Windows Defender Application Control (WDAC) should enforce path-based rules rather than hash-based ones; attackers can change hashes. Generally, do not allow any executables from workspace roots, not just git.exe. Binary planting is a known pattern across multiple AI IDEs. Those who demand \u201cno CVE in the scanner\u201d miss the risk. Primary source: Mindgard blog, 14.07.2026; cross\u2011checks also cited by Dark Reading and The Hacker News.<\/p>\n<h2 style=\"padding-top:64px;margin-bottom:20px;\">Frequently Asked Questions<\/h2>\n<p class=\"st-faq-hint\">Every question is locked. A tap unlocks the answer.<\/p>\n<details>\n<summary><strong>Is it relevant for macOS and Linux?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">The described exploit targets Windows and git.exe in the repository root. Other platforms are to be evaluated separately. Windows developers are the clear hotspot.<\/p>\n<\/details>\n<details>\n<summary><strong>Is it enough to block git.exe?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">It is the current trigger. Path-Resolution can check additional tool names. Better: generally prohibit executables from workspace roots.<\/p>\n<\/details>\n<details>\n<summary><strong>Is this the same as CVE-2026-26268 (Git Hooks)?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">No. 26268 concerns hidden Git hooks according to reports. The Mindgard case is Binary Planting of git.exe in the root. Different mechanism, same outcome: Code Execution.<\/p>\n<\/details>\n<details>\n<summary><strong>What do we require from the vendor?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">Patch, Advisory, a clear Search-Path-Policy without Workspace-Exec, and transparent SLAs for Criticals in Bug-Bounty.<\/p>\n<\/details>\n<details>\n<summary><strong>Primary source?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">Mindgard Blog &#8220;Cursor 0day: When Full Disclosure Becomes the Only Protection Left&#8221; (14.07.2026).<\/p>\n<\/details>\n<p><!--ST-LOWER-CARDS lang=de--><\/p>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">Lesetipps der Redaktion<\/h3>\n<p><a href=\"https:\/\/www.securitytoday.de\/2026\/07\/15\/sharepoint-jwt-bypass-cve-2026-55040\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/sharepoint-jwt-bypass-cve-2026-55040-cover-hero-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Lesetipp<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">SharePoint-JWT-Bypass \u00f6ffnet On-Prem-Sites<\/span><\/span><\/a><a href=\"https:\/\/www.securitytoday.de\/2026\/07\/15\/bitlocker-bypass-cve-2026-50661\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/bitlocker-bypass-cve-2026-50661-cover-hero-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Lesetipp<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">BitLocker-Bypass bei physischem Zugriff<\/span><\/span><\/a><a href=\"https:\/\/www.securitytoday.de\/2026\/07\/15\/nihon-kotsu-ailock-dispatch-malware-case\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/nihon-kotsu-ailock-dispatch-malware-case-cover-hero-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Lesetipp<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">Nihon Kotsu: Dispatch f\u00e4llt nach Malware<\/span><\/span><\/a><\/p>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">Mehr aus dem MBF Media Netzwerk<\/h3>\n<p><a href=\"https:\/\/www.cloudmagazin.com\/2026\/07\/15\/aws-sovereign-cloud-was-wirklich-getrennt-ist\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-aws-sovereign-cloud-was-wirklich-getrenn-12030184.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#0bb7fd;margin-bottom:5px;\">cloudmagazin<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">AWS Sovereign Cloud: was wirklich getrennt ist<\/span><\/span><\/a><a href=\"https:\/\/mybusinessfuture.com\/digitaler-produktpass-hersteller-pflichten\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-digitaler-produktpass-hersteller-pflicht-48690623-250x141.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#aa8ac2;margin-bottom:5px;\">MyBusinessFuture<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">Digitaler Produktpass: Was Hersteller tun m\u00fcssen<\/span><\/span><\/a><a href=\"https:\/\/www.digital-chiefs.de\/token-opex-inference-steuert-nicht-das-seat-budget\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-token-opex-inference-steuert-nicht-das-s-43794747-250x141.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#e8828d;margin-bottom:5px;\">Digital Chiefs<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">Token-OPEX: Inference steuert, nicht das Seat-Budget<\/span><\/span><\/a><\/p>\n<p style=\"font-style:italic;text-align:right;font-size:0.85em;color:#888;margin-top:8px;\">Bildquelle: KI-generiert (Juli 2026)<\/p>\n<p><!--\/ST-LOWER-CARDS--><\/p>\n","protected":false},"excerpt":{"rendered":"Mindgard: Cursor on Windows executes local repo git.exe without prompt. Reported Dec 2025, still unpatched as of July 2026. Policy and AppLocker mitigations available.","protected":false},"author":10,"featured_media":22154,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"cursor windows git execution vulnerability","_yoast_wpseo_title":"Cursor Launches git.exe from Repository Root on Windows","_yoast_wpseo_metadesc":"Mindgard: Cursor on Windows executes local repository git.exe without prompt. Reported in December 2025, remains unpatched as of July 2026.","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"","_yoast_wpseo_opengraph-image-id":0,"_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"","_yoast_wpseo_twitter-image-id":0,"evm_cvss":0,"evm_risk":0,"evm_casefile":"","evm_primary_cve":"","evm_external_preview_token":"","evm_external_preview_expires":"","_evm_translation_lang":"en","featured_post":0,"featured_post_sortierung":0,"_wp_old_slug":[],"footnotes":""},"categories":[259],"tags":[],"class_list":["post-22164","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-strategie-governance-en"],"evm_reading_time_minutes":4,"wpml_language":"en","wpml_translation_of":22139,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/22164","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=22164"}],"version-history":[{"count":0,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/22164\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/22154"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=22164"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=22164"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=22164"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}