CVE-2026-26268: Anysphere Cursor Sandbox Escape RCE Flaw

CVE-2026-26268 Overview

CVE-2026-26268 is a critical sandbox escape vulnerability affecting Cursor, a code editor built for programming with AI. The vulnerability allows a malicious agent (via prompt injection) to write to improperly protected .git settings, including git hooks, which can lead to out-of-sandbox remote code execution when these hooks are automatically triggered by Git operations.

This vulnerability is classified as CWE-862 (Missing Authorization), as the application failed to properly restrict write access to sensitive .git configuration files within its sandbox environment. The flaw enables attackers to achieve code execution outside the intended sandbox without any user interaction.

Critical Impact

Attackers can achieve out-of-sandbox remote code execution through malicious prompt injection targeting Git configuration files, with no user interaction required.

Affected Products

• Anysphere Cursor versions prior to 2.5

Discovery Timeline

• 2026-02-13 - CVE CVE-2026-26268 published to NVD
• 2026-02-18 - Last updated in NVD database

Technical Details for CVE-2026-26268

Vulnerability Analysis

This vulnerability stems from insufficient access controls within Cursor's sandbox implementation. The AI-powered code editor failed to properly protect .git directory configurations, allowing write operations to sensitive files that should have been restricted.

The critical weakness lies in the sandbox's inability to prevent modifications to Git hooks—executable scripts that Git runs automatically in response to certain events such as commits, pushes, or merges. When a malicious AI agent (via prompt injection) writes to these hook files, the attacker-controlled code executes the next time the corresponding Git operation is triggered, effectively escaping the sandbox environment.

Root Cause

The root cause is missing authorization checks (CWE-862) on file write operations targeting the .git directory within Cursor's sandboxed environment. The application did not validate or restrict access to sensitive Git configuration paths, allowing unrestricted modification of files including:

• .git/hooks/ directory (pre-commit, post-commit, pre-push, etc.)
• .git/config configuration file
• Other Git-controlled metadata files

Attack Vector

The attack leverages prompt injection techniques to instruct the AI agent to write malicious content to Git hook files. The attack chain proceeds as follows:

1. An attacker crafts a malicious prompt injection payload
2. The AI agent processes the injection and writes to .git/hooks/ files
3. Git automatically executes these hooks during normal operations (commit, push, etc.)
4. The malicious code runs outside the sandbox with the user's privileges

This is a network-based attack vector that requires low privileges and no user interaction, as Git automatically executes hook scripts during routine operations.

The vulnerability manifests through the sandbox's failure to prevent writes to .git configuration files. When Git hooks such as pre-commit or post-checkout are modified with malicious content, Git executes them automatically without user confirmation. For detailed technical information, see the GitHub Security Advisory.

Detection Methods for CVE-2026-26268

Indicators of Compromise

• Unexpected modifications to .git/hooks/ files within project directories
• Unusual executable content appearing in Git hook scripts
• Unexplained process spawning from Git operations
• Shell commands or scripts in hook files that were not manually created

Detection Strategies

• Monitor file system activity for writes to .git/hooks/ directories
• Implement file integrity monitoring on Git configuration files
• Audit AI agent interactions for suspicious prompt patterns targeting file operations
• Review Git hook contents for unauthorized or obfuscated code

Monitoring Recommendations

• Enable detailed logging of file operations within Cursor's workspace directories
• Set up alerts for any modifications to .git/ subdirectories by the application
• Monitor process creation events associated with Git operations for anomalous child processes
• Regularly audit Git repositories for unexpected hook modifications

How to Mitigate CVE-2026-26268

Immediate Actions Required

• Upgrade Cursor to version 2.5 or later immediately
• Audit all existing repositories for unauthorized modifications to .git/hooks/ files
• Review and remove any suspicious content from Git configuration files
• Consider temporarily disabling Git hooks in sensitive repositories until patched

Patch Information

Anysphere has addressed this vulnerability in Cursor version 2.5. The patch implements proper authorization controls to prevent writes to .git configuration files from the sandboxed environment. Users should update to version 2.5 or later to remediate this vulnerability.

For additional details, refer to the GitHub Security Advisory GHSA-8pcm-8jpx-hv8r.

Workarounds

• Remove or make read-only all files in .git/hooks/ directories until patching is possible
• Configure Git globally to ignore hook scripts using git config --global core.hooksPath /dev/null
• Restrict file system permissions on .git directories to prevent unauthorized writes
• Consider using Git's safe.directory configuration to limit operations on sensitive repositories

# Disable Git hooks globally as a temporary workaround
git config --global core.hooksPath /dev/null

# Make existing hooks read-only
chmod -R 444 .git/hooks/

# Verify no malicious hooks exist
ls -la .git/hooks/
cat .git/hooks/*