Malicious cloned repository triggered code execution in Cursor on Windows
Quick Answer
Cursor caused a critical-severity (10/10) security vulnerability failure: Malicious cloned repository triggered code execution in Cursor on Windows. The root cause was tool misuse. The flaw converted a normal developer workflow — cloning a repo to look at it — into a remote code execution vector on Windows hosts, exposing local secrets and source.
Description
A vulnerability disclosed in July 2026 allowed a malicious cloned repository to trigger code execution in the Cursor editor on Windows. Reviewing untrusted code by cloning and opening it is one of the most common things a developer does, and the flaw turned that routine action into a compromise of the local machine — no explicit 'run' step required. Code execution on the host exposed whatever credentials, tokens, and source the developer's environment could reach. It is part of a broader pattern in which AI coding tools blur the line between opening code and executing it.
Instruction Given
Open and work on a freshly cloned repository in the Cursor editor.
Expected Behavior
Opening or cloning a repository should never execute code from that repository without explicit user action.
Actual Behavior
A crafted repository could trigger code execution on Windows simply by being cloned and opened in Cursor, turning the routine act of inspecting untrusted code into a compromise of the developer's machine.
Impact / Damage
The flaw converted a normal developer workflow — cloning a repo to look at it — into a remote code execution vector on Windows hosts, exposing local secrets and source.
Frequently Asked Questions
What happened in incident STUPID-2026-0029? ▾
A vulnerability disclosed in July 2026 allowed a malicious cloned repository to trigger code execution in the Cursor editor on Windows. Reviewing untrusted code by cloning and opening it is one of the most common things a developer does, and the flaw turned that routine action into a compromise of the local machine — no explicit 'run' step required. Code execution on the host exposed whatever credentials, tokens, and source the developer's environment could reach. It is part of a broader pattern in which AI coding tools blur the line between opening code and executing it.
Which AI agent caused this failure? ▾
Cursor was responsible for this security vulnerability incident, documented as STUPID-2026-0029 in the StupidLLM AI agent incident database.
How severe was this AI agent failure? ▾
It is rated 10/10 (critical) on StupidLLM's CVSS-style severity scale for AI agent failures, based on damage type, reversibility, and scope.
What was the root cause? ▾
The root cause was classified as tool misuse. Opening or cloning a repository should never execute code from that repository without explicit user action.
What was the impact or damage? ▾
The flaw converted a normal developer workflow — cloning a repo to look at it — into a remote code execution vector on Windows hosts, exposing local secrets and source.