AI security incident: CVE-2026-26268 (NVD)
Cursor is a code editor built for programming with AI. Sandbox escape via writing .git configuration was possible in versions prior to 2.5. A malicious agent (ie prompt injection) could write to improperly protected .git settings, including git hooks, which may cause out-of-sandbox RCE next time they are triggered. No user interaction was required as Git executes these commands automatically. Fixed in version 2.5.
Impact
Severity HIGH. Confidence 75%. Source channel: NVD.
Recommended Response
- Validate whether your organization uses the affected AI tool, model, or integration path.
- Apply vendor patches or mitigations and restrict risky permissions until validated.
- Monitor logs for related indicators and document containment actions for compliance evidence.
Sources
Want alerts like this in real time?
Get notified with incident context, likely impact, and response guidance.
Get Notified