STUPID-2026-0029 Severity 10/10 — CRITICAL Verified

Malicious cloned repository triggered code execution in Cursor on Windows

Agent: cursor Domain: infra
Failure Mode
Security Vulnerability
Root Cause
Tool Misuse
Task Type
Bugfix
Reproducible
No

Quick Answer

Cursor caused a critical-severity (10/10) security vulnerability failure: Malicious cloned repository triggered code execution in Cursor on Windows. The root cause was tool misuse. The flaw converted a normal developer workflow — cloning a repo to look at it — into a remote code execution vector on Windows hosts, exposing local secrets and source.

Description

A vulnerability disclosed in July 2026 allowed a malicious cloned repository to trigger code execution in the Cursor editor on Windows. Reviewing untrusted code by cloning and opening it is one of the most common things a developer does, and the flaw turned that routine action into a compromise of the local machine — no explicit 'run' step required. Code execution on the host exposed whatever credentials, tokens, and source the developer's environment could reach. It is part of a broader pattern in which AI coding tools blur the line between opening code and executing it.

Instruction Given

Open and work on a freshly cloned repository in the Cursor editor.

Expected Behavior

Opening or cloning a repository should never execute code from that repository without explicit user action.

Actual Behavior

A crafted repository could trigger code execution on Windows simply by being cloned and opened in Cursor, turning the routine act of inspecting untrusted code into a compromise of the developer's machine.

Impact / Damage

The flaw converted a normal developer workflow — cloning a repo to look at it — into a remote code execution vector on Windows hosts, exposing local secrets and source.

Share this incident

Help others know about this AI agent failure

Source: News Report View source Reported July 15, 2026

Frequently Asked Questions

What happened in incident STUPID-2026-0029?

A vulnerability disclosed in July 2026 allowed a malicious cloned repository to trigger code execution in the Cursor editor on Windows. Reviewing untrusted code by cloning and opening it is one of the most common things a developer does, and the flaw turned that routine action into a compromise of the local machine — no explicit 'run' step required. Code execution on the host exposed whatever credentials, tokens, and source the developer's environment could reach. It is part of a broader pattern in which AI coding tools blur the line between opening code and executing it.

Which AI agent caused this failure?

Cursor was responsible for this security vulnerability incident, documented as STUPID-2026-0029 in the StupidLLM AI agent incident database.

How severe was this AI agent failure?

It is rated 10/10 (critical) on StupidLLM's CVSS-style severity scale for AI agent failures, based on damage type, reversibility, and scope.

What was the root cause?

The root cause was classified as tool misuse. Opening or cloning a repository should never execute code from that repository without explicit user action.

What was the impact or damage?

The flaw converted a normal developer workflow — cloning a repo to look at it — into a remote code execution vector on Windows hosts, exposing local secrets and source.