CVE-2026-63093 in Cursor
Summary
by MITRE • 07/17/2026
Cursor for Windows version 3.2.16 contains a binary planting vulnerability that allows remote attackers to achieve arbitrary code execution by placing a malicious git.exe file in the repository root directory. When a developer clones and opens a crafted repository, Cursor automatically resolves and executes the workspace-resident git.exe during IDE startup and on a recurring timed cadence without any user interaction, running the malicious binary under the privileges of the current user.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/17/2026
This vulnerability represents a critical binary planting flaw in Cursor for Windows version 3.2.16 that exploits the software's automatic resolution of git.exe binaries within repository directories. The issue stems from improper path resolution mechanisms that prioritize local workspace files over system paths, creating an environment where attackers can place malicious executables that will be automatically executed by the IDE without user intervention. The vulnerability specifically affects the IDE's handling of Git operations during both initial startup and periodic background tasks, making it particularly dangerous as it operates completely transparently to the end user.
The technical implementation of this flaw aligns with CWE-426 Untrusted Search Path, where an application searches for executables in predictable locations without proper validation of file sources or integrity checks. Attackers can craft malicious repositories containing a specially named git.exe binary that gets executed when developers clone and open these repositories, effectively leveraging the IDE's legitimate Git integration functionality to deliver malware payloads. This exploitation technique bypasses traditional security controls since the malicious code executes under the privileges of the currently logged-in user rather than requiring elevated permissions.
The operational impact of this vulnerability extends beyond simple code execution as it enables persistent threat actor operations through seemingly legitimate development workflows. Developers routinely clone repositories from various sources, making this attack vector particularly effective for widespread compromise. The recurring timed cadence mentioned in the description indicates that the malicious binary executes not just during initial IDE startup but also periodically, potentially allowing attackers to maintain persistence or perform additional malicious activities without requiring repeated user interaction. This behavior aligns with ATT&CK technique T1059.001 Command and Scripting Interpreter where adversaries use legitimate system tools to execute code.
Mitigation strategies must address both the immediate vulnerability and broader security practices within development environments. Organizations should implement strict file integrity validation for all binaries within development workspaces, particularly those used by IDEs for version control operations. The recommended approach includes configuring IDEs to use explicit, trusted path resolution mechanisms rather than automatic workspace resolution, implementing file system monitoring for suspicious binary placement activities, and establishing security awareness training for developers regarding the risks of cloning untrusted repositories. Additionally, network-level controls such as application whitelisting and endpoint detection systems should be deployed to monitor for execution of unauthorized binaries in development environments. The vulnerability demonstrates the critical importance of secure coding practices in development tools and highlights the need for comprehensive threat modeling that considers how legitimate software features can be exploited by adversaries.