Cursor 0day: AI coding tool with 7M+ users has unfixed arbitrary code execution vulnerability after 7 months of vendor silence
Security firm Mindgard disclosed a trivially exploitable vulnerability in Cursor, the AI-powered IDE used by 7M+ developers (1M+ paying, 50K+ companies, reported $60B valuation). When a developer opens a repository containing a planted malicious git.exe in the project root, Cursor automatically executes it with no clicks, prompts, approval dialogs, or warnings. The binary re-executes on a recurring cadence while the project remains open. Mindgard reported the issue on December 15, 2025, and engaged Cursor's CISO, HackerOne (which reproduced and confirmed the bug), and Cursor leadership across multiple channels. Seven months and 197+ shipped versions later, the vulnerability remains unfixed, forcing full public disclosure.

197 Versions, Zero Fixes: What Cursor's Silence Says About AI Tooling Security
Here is the bug. Drop a file called git.exe in the root of a project repository. Open that repository in Cursor, the AI-powered code editor used by 7 million-plus active users. Cursor runs the file. No click. No prompt. No warning. No approval dialog. It just executes, and it keeps re-executing on a recurring cadence for as long as the project stays open 1.
That is the entire vulnerability. No prompt injection, no memory corruption, no sophisticated exploit chain. A renamed binary in a folder.
The security firm Mindgard proved it with Windows Calculator renamed to git.exe. Open the repo, watch calculators multiply. In a real attack, swap Calculator for anything 1.
But the vulnerability is not the story. Bugs happen. What makes this worth your attention is what happened after the bug was reported.
Mindgard disclosed the issue to Cursor on December 15, 2025, following the company's own published security.txt protocol. When initial reports produced no confirmation, they escalated across every available channel. Cursor's CISO eventually responded and acknowledged that an internal automation failure had prevented the expected HackerOne workflow from taking place. Mindgard was invited into a private bug bounty program and resubmitted. HackerOne reproduced the issue, confirmed it, and delivered the details to Cursor 1.
Then everything stopped. Requests for updates went unanswered. Escalation through HackerOne produced no meaningful engagement. Direct outreach to Cursor leadership yielded the same result 1.
Over the next seven months, Cursor shipped 197-plus new versions. Features shipped. Announcements continued. The platform evolved. The vulnerability stayed exactly where it was. As of April 30, 2026, Mindgard verified the bug remained fully exploitable against Cursor version 3.2.16 on Windows 1.
Consider the scale. Cursor has 7 million-plus active users, 1 million-plus paying subscribers, and is deployed inside 50,000-plus companies 1. Every one of those users is potentially exposed. Anyone who clones a repository, pulls a dependency, or reviews a colleague's code in Cursor on Windows is one planted binary away from arbitrary code execution.
That is the attack surface of a tool designed to ingest and interact with external code, running inside the development environments of tens of thousands of organizations. And the vendor went dark.
Mindgard frames the uncomfortable question directly: "At some point the conversation shifts from vulnerability disclosure to a more uncomfortable question: What exactly is the security process for?" 1.
That question lands harder when you zoom out. The same velocity-first culture that makes AI coding tools attractive is the culture that ships 197 versions in seven months without fixing a bug flagged on day one. Feature velocity and security hygiene are not naturally aligned. When they conflict and the scoreboard only tracks shipped features, security loses.
This is not just a Cursor problem. It is a category problem. The AI developer tools market is moving at a pace that makes traditional software release cycles look glacial. New models, new integrations, new agent capabilities ship weekly. But the security infrastructure around these tools was not built for this speed. Coordinated vulnerability disclosure assumes a vendor that responds. Bug bounty programs assume a triage pipeline that functions. Both assumptions failed here, in sequence, and neither generated a fix.
The HackerOne report was initially closed as Informative and out of scope. Mindgard challenged that determination. HackerOne reopened the report, reproduced the issue, and confirmed that details had been delivered to Cursor. And still: no remediation, no communication, no timeline 1.
Mindgard was forced into full public disclosure, which they describe as a last resort after every coordinated channel failed 1.
For Cursor users right now: Mindgard recommends opening untrusted repositories only in isolated VMs or Windows Sandbox until the IDE is patched. On managed Windows systems, administrators can deploy AppLocker or Windows App Control policies to block execution of executables from workspace directories 1.
For the people building, funding, or deploying AI developer tools: a tool used by 7 million developers and deployed inside 50,000 companies could not find the engineering capacity to fix a bug that requires checking whether a git binary lives inside the workspace before running it. That is not a resource problem. It is a priority problem. If the industry does not start measuring security debt alongside feature velocity, the next disclosure will not come from a research firm that gives you seven months of notice.