Levkovich noted that the underlying Git behavior allowing the attack path is well documented, but what’s different here is Cursor autonomously deciding to execute Git operations (running hooks) that ultimately result in code execution.
The flaw is tracked as CVE-2026-26268, with a critical severity rating of 9.9 out of 10 assigned by NVD, and affects Cursor versions prior to 2.5. “Sandbox escape via writing .git configuration was possible in versions prior to 2.5,” reads an NVD description of the flaw. “A malicious agent (i.e. prompt injection) could write to improperly protected .git settings, including git hooks, which may cause out-of-sandbox RCE next time they are triggered.”
Expanded attack surface with agentic IDEs
Novee warned that while traditional IDEs are passive, doing what developers explicitly tell them to do, Cursor’s AI agent interprets intent and autonomously decides which commands to run, which includes Git operations. And that’s where the problem lies.
