CVE-2026-26268
Published: 13 February 2026
Summary
CVE-2026-26268 is a high-severity Missing Authorization (CWE-862) vulnerability in Anysphere Cursor. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 15.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other AI Platforms; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to system resources, directly preventing unauthorized writes to .git configuration files by sandboxed processes.
Implements a reference monitor to mediate and enforce access control policies in a tamper-resistant manner, addressing the sandbox's failure to protect .git settings from modification.
Authorizes access to resources based on least privilege, ensuring sandboxed agents lack permissions to write to sensitive .git directories leading to RCE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Sandbox escape via unauthorized .git/config modification (git hooks) directly enables host RCE and privilege escalation from within the restricted environment.
NVD Description
Cursor is a code editor built for programming with AI. Sandbox escape via writing .git configuration was possible in versions prior to 2.5. A malicious agent (ie prompt injection) could write to improperly protected .git settings, including git hooks, which…
more
may cause out-of-sandbox RCE next time they are triggered. No user interaction was required as Git executes these commands automatically. Fixed in version 2.5.
Deeper analysisAI
CVE-2026-26268 is a sandbox escape vulnerability in Cursor, a code editor built for programming with AI, affecting versions prior to 2.5. The flaw stems from improper protection of .git configuration files, enabling unauthorized writes to settings such as git hooks (CWE-862: Missing Authorization). Published on 2026-02-13, it carries a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).
A malicious agent, for example via prompt injection, can exploit this by writing to the .git configuration from within the sandboxed environment. When Git automatically triggers these commands, such as executing hooks, it results in remote code execution (RCE) outside the sandbox. No user interaction is required, though exploitation demands network access, high attack complexity, and high privileges.
The vulnerability is fixed in Cursor version 2.5. Additional details on mitigation are available in the GitHub security advisory at https://github.com/cursor/cursor/security/advisories/GHSA-8pcm-8jpx-hv8r.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, prompt injection