Cursor Sandbox Escape via Git Hooks Remote Code Execution - CVE-2026-26268

Anysphere disclosed CVE-2026-26268 (CVSS 9.9, advisory GHSA-8pcm-8jpx-hv8r) on February 13, 2026, a sandbox escape in the Cursor AI code editor caused by improperly protected .git configuration. A malicious agent - including one steered through prompt injection from repository content - could write Git settings such as hooks from inside the sandbox, and a later routine Git operation would run that hook outside the sandbox, executing attacker code on the workstation with no further interaction. The flaw affects Cursor before 2.5 and is fixed in 2.5. This advisory covers what was disclosed and how to inventory and govern this class of agent-driven sandbox escape.

What happened

Anysphere found that Cursor did not protect its .git configuration from writes originating in the sandboxed agent environment. From inside the sandbox, a malicious agent could write Git settings - including hook scripts that Git runs automatically on common operations. The agent did not have to be overtly hostile to be the vehicle: an instruction planted in repository content the agent reads could steer it into making the write, the same indirect prompt injection shape that keeps showing up across AI coding tools.

The escape itself happened later, on an ordinary action. Git executes hooks outside Cursor's sandbox, so when a routine operation - a commit, a checkout, a status check - triggered the planted hook, Git ran it on the workstation as the developer, with no further user interaction. The full chain only required a developer to open or clone a repository carrying a malicious Git configuration in Cursor. Anysphere fixed the issue in Cursor 2.5 by adding authorization controls that prevent writes to .git configuration files from the sandboxed environment. The root cause is the recurring one in agentic tooling: an agent action wrote to a trusted execution path that took effect ahead of any explicit trust decision - the same shape as the sibling Claude Code project-file RCE and token exfiltration, where repository configuration ran before consent.

Why this is an agentic-endpoint risk

The dangerous surface here is not a server or a network path - it is the coding agent itself and the Git execution path it can reach. The sandbox was meant to contain what the agent does, but the boundary leaked at exactly the place that matters: the .git configuration that decides what code Git runs on routine operations. The trigger then fires on an everyday action - reading a repository, then committing - not on a privileged step a security tool would flag.

This exposure is hard to see from the controls you already run, because it lives in the AI artifact layer. A planted Git hook sits in a file developers rarely open; the Cursor process and the git process both look legitimate to EDR; the spawned command runs as the developer; and the network sees ordinary traffic. AI agents and CLIs are two of the eight AI artifact types Anomity tracks per endpoint, adopted bottom-up the same way AI agents and CLIs became the new shadow IT. The question is not whether one laptop is patched; it is which endpoints across the fleet run Cursor before 2.5, and which of them just had an agent write to .git - and you cannot answer that without an inventory of the artifact layer.

How Anomity surfaces and governs it

Upgrading Cursor to 2.5 closes this specific flaw, but the durable control is to treat the AI agent as a governed artifact and decide what it may write to the Git execution path before that write takes effect. Anomity does that in three steps.

First, inventory. Anomity inventories AI agents and CLIs - among the eight AI artifact types it tracks on every managed endpoint - then classifies them. It captures the Cursor version and agent metadata, so you can find builds before 2.5 and the endpoints where the affected agent is active. Metadata only: any secrets around the agent are redacted on the endpoint before anything leaves it.

Second, decide at the hook. On agents that expose a hook - for example, a Cursor or Claude Code PreToolUse event - Anomity evaluates each tool call against your policy and returns allow, deny, or log before the call runs. A tool call that attempts to write a Git hook or .git configuration file can be denied at the boundary, surfacing the escape attempt before the hook ever fires. That is the control runtime governance provides while a vulnerable build is still rolling out, and it stops the CVE-2026-26268 chain at its hinge: the moment the agent turns a repository read into a write to the Git execution path.

Third, keep the record. Every decision, and every change to Git configuration, lands in a queryable 90-day audit trail, and decisions route to SIEM, Slack, email, or Jira. When a disclosure like CVE-2026-26268 lands, you can answer which endpoints ran the affected Cursor versions, which agents attempted a write to .git and when, and what was denied - from a record, not a guess. Anomity complements Network, EDR, DLP, and GRC tooling; it covers the artifact layer those tools were never built to inventory. See how it works or request early access.

What to check across your fleet

• Identify every endpoint running Cursor before 2.5 and upgrade to 2.5 or later, where authorization controls block writes to .git configuration from the sandboxed environment.
• Inventory recent writes to .git configuration and hooks in repositories opened in Cursor, and flag any hook that was written by the agent rather than by a person.
• Treat opening or cloning an untrusted repository in an AI code editor as untrusted input, since the disclosed chain needed nothing more than that to plant the payload.
• Confirm a policy denies tool calls that write a Git hook or .git configuration file at the agent hook, not only at patch time, so an escape attempt is stopped before a routine Git operation fires it.
• Verify Git-configuration changes are captured in an audit trail and routed to your SIEM, so a planted hook is a recorded, reviewable event rather than a silent one.

CVE-2026-26268 is one instance of a recurring pattern: an agent action - often steered by untrusted content - writes to a trusted execution path that runs before anyone approves it. Patching Cursor to 2.5 closes this case; governing the artifact layer closes the class. For the broader pattern and related disclosures, see the pillar on securing AI coding agents and CLIs, and when you are ready to inventory and govern what your AI agents may write across the fleet, request early access.