Security firm Mindgard discovered that the AI-powered code editor Cursor, on Windows, automatically launches any executable placed in a repository's root folder as long as it is named git.exe. The cause: when Cursor runs Git commands, Windows searches the current directory for the file before checking regular PATH locations.

To prove it, researchers renamed the Windows Calculator (calc.exe) to git.exe and placed it in a test repository. Opening that repository in Cursor caused Calculator to launch automatically - demonstrating arbitrary code execution simply from opening an untrusted project, with no further interaction required.

The flaw persists even when Cursor's "Workspace Trust" feature is enabled in restricted mode, which is meant to limit AI/agent actions on untrusted folders. Testing confirmed git.exe still runs in restricted mode, unlike Visual Studio Code 1.129, which blocks execution of local binaries in that mode.

According to Mindgard, the vulnerability was reported directly to the security contact address published in Cursor's security.txt file, followed by repeated attempts through other channels over roughly seven months, with no substantive response or fix. That silence led the researchers to full public disclosure, arguing it was the only remaining way to warn users.

On Reddit, commenters call the underlying bug "trivial" to fix, for instance by using Git's fully-qualified installation path or running "where git" while excluding the current directory. Some noted the issue appears specific to Windows PATH behavior and did not reproduce on macOS testing. Others argued practical risk requires already having a malicious executable in the project, comparable to other malware risks - though for many, the vendor's non-response remains the most alarming part.