Cursor says automatically running a repository-root git.exe on Windows does not meet its criteria for patching, while the researcher calls it an untrusted-search-path defect and separate research shows the same weakness across several competing AI coding tools.
git.exe must already be in the repository root.Cursor has declined to patch a Windows behavior that can run a repository-root git.exe when a developer opens a project. The trigger is narrow, and no retained source documents exploitation in the wild. The unresolved issue is whether opening a hostile repository is the security failure, as Cursor argues, or whether silently resolving an executable from that repository is a product defect.
The reported execution path begins when Cursor opens a project on Windows and searches multiple locations for Git, including the workspace. If the repository root contains an executable named exactly git.exe, Cursor can invoke it as part of Git discovery without another click, approval dialog or warning.
Mindgard demonstrated the behavior with Windows Calculator renamed to git.exe. Opening the test repository launched Calculator, and the application invoked it again while the project remained open. A process trace in the researcher's disclosure shows Cursor calling the planted binary with git rev-parse --show-toplevel. Mindgard said it last verified the path on April 30, 2026, in Cursor 3.2.16, with the process running under the current user's privileges.
Cursor's limiting facts are material. The behavior affects Windows, not macOS or Linux; the planted file must use the precise name git.exe; and the user must open the directory containing it. This is not a remote attack against any Cursor installation merely because it is online.
Those prerequisites do not require an attacker to have prior access to the target computer, however. A repository or archive is itself a delivery route for the planted binary. Mindgard chief product officer Aaron Portnoy therefore describes the behavior as an untrusted-search-path weakness in the CWE-426/427 family. That classification is the researcher's assessment, not a severity determination independently established by the retained sources.
Cursor says the finding is outside its bug-bounty program because customers decide which repositories, prompts, external content, MCP servers, rules and tools enter their environment. Issues that depend on malicious inputs already being present generally fall outside that shared-responsibility model, the company said in its public response.
That position accepts the mechanics but locates the security boundary before the project opens. Portnoy's counterargument locates it later: the user supplies files, but Cursor's Git-resolution logic decides which file to execute. Opening repositories is routine development work, he said, and does not amount to approval for a workspace binary to run.
Cursor points customers handling potentially malicious repositories to Workspace Trust. When enabled, the company says, untrusted folders open in a restricted mode that prevents automatic code execution; managed organizations can enforce the setting through mobile device management.
The control does not yet resolve the factual dispute. Portnoy said Workspace Trust is off by default and that he had not seen confirmation that Workspace Trust or Restricted Mode blocks this specific git.exe path. Cursor says the control prevents malicious repositories from automatically executing code. The report carrying both responses contains no independent reproduction with Workspace Trust enabled, so neither side's broader claim about that mitigation is established there.
Mindgard says it discovered and reported the issue on December 15, 2025. After a follow-up went unanswered, the company sought a security contact publicly in January. Cursor's chief information security officer replied on January 15 and said an automation failure had prevented the expected invitation to Cursor's private HackerOne program, according to Mindgard's account of the chronology.
The company resubmitted the report that day. It was closed as “Informative” and out of scope, reopened after Mindgard challenged the decision and HackerOne reproduced the behavior, then confirmed as delivered to Cursor on January 20. Mindgard recorded unanswered update requests in February, March and April, informed HackerOne on June 1 that it planned to disclose, and published technical details on July 14. A contemporaneous account separately recounted the main sequence while attributing the underlying dates to Mindgard.
An early account relaying Cursor's response to Dark Reading quoted a spokesperson saying the company was “addressing this” and would contact Mindgard. Cursor's fuller response subsequently made clear that it had decided the finding did not meet its criteria for patching. The later position supersedes any inference that the earlier statement promised a code change.
Cursor did acknowledge a process failure: it said the company should have communicated its scope decision directly and was fixing that gap. It did not concede the product behavior was a vulnerability. Portnoy also said in the report carrying his response that a different Git-related finding was triaged and fixed in Cursor 2.5 during the same period. That comparison shows the reporting and release process could move another Git finding, but it does not establish why this one received a different decision.
Cursor's response is not occurring in isolation. Separate primary research published in June found workspace-local executable resolution across several Windows AI coding tools.
The comparisons are close but not identical:
| Product tested | Reported trigger | Status reported by the researcher |
|---|---|---|
| GitHub Copilot CLI | A workspace git.exe or which.exe runs during CLI startup, before a folder-trust prompt | Triaged, bounty paid, severity downgraded; no fix committed |
| Gemini CLI | A workspace git.exe runs when the CLI initializes Git discovery | Google acknowledged the issue; remediation status was unknown |
| Codex desktop app | A workspace git.exe runs when a project folder opens | Closed as not applicable |
That evidence redistributes the story. It weakens the idea that Cursor alone introduced an unusual execution pattern, while strengthening the case that Windows executable discovery has become a shared blind spot across competing tools. It also shows that vendor disagreement is not simply about reproducibility: the responses ranged from triage and a bounty to closure without a patch.
The comparison has limits. The products do not all have the same interface or trigger, and Cymulate's Cursor finding concerned a separate Cursor CLI npx.exe chain rather than Mindgard's Cursor IDE git.exe report. It is evidence of a broader class, not proof that every product exposes users in precisely the same way.
Cursor's recommended control is Workspace Trust. Mindgard's temporary advice goes further. For managed Windows fleets, it recommends AppLocker or Windows App Control rules that deny execution from development workspace directories. It prefers path-based rules to file hashes because an attacker can change a binary's contents and therefore its hash. Parent-aware restrictions generally require endpoint detection software or another custom security product, the company said.
For individuals, Mindgard recommends opening untrusted repositories only inside Windows Sandbox, an isolated virtual machine or another disposable environment until the IDE changes. These measures can reduce exposure, but they require configuration, enforcement or a segregated workflow outside Cursor's default installation.
Mindgard describes Cursor as having more than 7 million active users, more than 1 million paying users and adoption at more than 50,000 companies. Those figures provide company-scale context supplied by the researcher; they do not reveal how many installations use Windows, keep Workspace Trust disabled or open repositories from untrusted sources. The available evidence therefore does not support claims that millions of users were exposed to this exact path.
The dispute now turns on evidence Cursor can produce. A release number and documented change to executable lookup would establish that the behavior has been removed. A reproducible test on a default installation would show whether the current product still resolves the repository-root binary. An independent test with Workspace Trust enabled would determine whether Git discovery occurs before or after the restriction takes effect.
Absent those results, the two sides are answering different questions. Cursor is asking whether customers should open hostile inputs; Mindgard is asking why an editor executes code from those inputs without a second decision. The narrow Windows prerequisite limits the affected population, and the same weakness in rival tools makes the problem broader than Cursor. Neither fact answers whether an optional trust control reliably blocks this path.
Get concise AI news and useful context from the Magica team.
Read the newsletterOpenAI has put conversations and Projects back in its redesigned ChatGPT desktop app and enabled cloud Work threads to move across devices, correcting the launch's biggest usability failures without merging local Work or Codex histories.
Meta reportedly plans to put departing AWS compute executive Dave Brown to work on its data-center buildout, adding hyperscale operating experience while leaving any customer-facing cloud business conditional and undefined.
China has paired a five-year AI training offer for developing countries with cooperation centers, a weather-warning rollout and a new 29-country organization. The package gives Beijing a platform for influence, but no budget, selection rules or delivery timetable has been published.
RoboTTT extends a robot policy’s visuomotor context to 8,000 timesteps and raises its average rubric score from 42% to 79%, but the evidence comes from three author-run assembly tasks and the longest task was completed in only two of ten trials.
Zhipu reportedly reached $1 billion in annual recurring revenue in July, roughly four times a March estimate, but the unconfirmed run rate is not annual sales and still sits far ahead of recognized cloud revenue while margins remain thin.
Nebius has arranged its first senior secured facility against an operating GPU deployment and one customer’s cash flows. The deal adds project-level debt to its expansion toolkit, but an unnamed customer and a larger rival financing limit what it proves about the rest of Nebius’s backlog.
Huawei publicly displayed a 16-cabinet Atlas 950 configuration rated at 1 EFLOPS in FP8, providing tangible evidence of its system-scale AI strategy while leaving price, power use and sustained workload performance undisclosed ahead of the full system's planned fourth-quarter release.
CIA Director John Ratcliffe said US intelligence is consistent with an estimate that Russian recruits last 20 to 30 minutes on Ukraine’s battlefield, but the public trail leads to an unsourced claim about assault troops and does not establish a representative average.
UK testing places leading open-weight models four to seven months behind selected closed-model cyber results, yet longer attack chains, U.S. benchmarks and mixed cost comparisons show why that interval is a warning signal rather than a universal capability clock.
TSMC reached the top of its second-quarter revenue guidance and raised its 2026 outlook, but a one-off investment gain boosted profit growth while the company committed more capital to 2-nanometer production, advanced packaging and an undated Arizona expansion.
Moonshot AI's Kimi K3 added to a global technology selloff with near-frontier performance, but unreleased weights, mixed cost comparisons and a recommended 64-accelerator deployment leave its effect on chip demand unresolved.
Moonshot AI has made Kimi K3 available through its apps and API, pairing a 2.8-trillion-parameter architecture with early frontier-level results, but the model's open-weight claim cannot be tested until its weights and technical report arrive.
Two binding EU decisions require Google to give rival AI services comparable access to 11 Android features and offer eligible search competitors a restricted, anonymized dataset, but phased deadlines, certification, pricing and privacy safeguards leave the competitive effect unproven.
Databricks has signed a term sheet for a Coatue-led financing at a $188 billion valuation, while unidentified sources put the round at $3 billion. The proposed capital would deepen its push into AI governance, data agents and operational databases, but the transaction remains open and the company supplied no new operating figures.
Netflix says generative AI workflows were used on roughly 300 titles in 2026, but its only quantified example tied to that disclosure covers 17 minutes and does not establish how much finished material, spending or labor changed across the slate.
Gemini 3.5 Pro missed its expected June rollout. An anonymous-source account says a late-June data change fell short of Google's coding goals, but Google has confirmed only partner testing—not the reported cause, a new date, or public results and pricing.
Google is bringing Gemini Omni editing and a reusable face-and-voice avatar to Vids, but the sharper distinction is account-level identity across Vids and Gemini rather than a new category of AI video; Vids already offered Veo generation and customizable avatars, while specialist rivals already sell digital presenters.
Intel plans to adopt Gemini Enterprise across engineering, supply-chain and corporate work while extending chip-simulation capacity into Google Cloud, but the companies supplied no rollout schedule, contract value or performance baseline.
The Navy has approved an immediate department-wide framework for turning data into operational effects, but the public rollout leaves budgets, owners, deadlines, performance measures and assurance rules to a promised implementation roadmap.
Runta has raised a $20 million seed round led by Andreessen Horowitz for an execution layer that governs agents at the operating-system and network levels, entering a market where cloud runtimes and sandbox providers already offer overlapping controls.