ShipSafe is the independent verifier for AI-built apps. The tool that built your app can't grade its own work, so ShipSafe checks it from the outside: it reads your code and probes your deployed app the way a stranger on the internet would, then proves what is actually exposed, in plain English. Built for apps made with Cursor, Lovable, Bolt, v0, and Replit. Paste a GitHub URL or a live URL and get a report in minutes.

How does ShipSafe work?

ShipSafe verifies your app two ways. It reads your code (or GitHub repo) for logic-level bugs like inverted auth and missing ownership checks, and it probes your deployed app from the public internet the way an attacker would: missing security headers, secrets leaked into the browser bundle, database tables and storage readable with no login, and IDOR across two test accounts. Every finding comes with the proof and a plain-English fix.

Yes. ShipSafe offers a free plan with 3 scans per month, no credit card required. Paid plans start at $9 for a one-time AI audit; Growth ($19/month) and Shield ($39/month) add continuous monitoring plus the CLI, MCP server, and GitHub Actions so you can scan from your terminal, your AI editor, and CI.

What vulnerabilities does ShipSafe detect?

ShipSafe detects IDOR (Insecure Direct Object References, proven across two real accounts), inverted authentication logic, frontend-only role checks, hardcoded API keys and secrets (and whether a leaked key still works right now), SQL injection, cross-site scripting (XSS), CSRF, and the data-exposure bugs that dominate AI-built apps: Supabase tables, Storage buckets, and database functions, plus Firebase databases, that a stranger can read with no login. It proves these from the public internet, not just by reading code. In our scan of 100 AI-built apps, 67% had at least one critical vulnerability.

Cursor the editor is SOC 2 Type II certified. However, three CVEs were published against it in 2025, and the code it generates contains vulnerabilities roughly 45% of the time according to Stanford research. ShipSafe is built to catch the security issues that Cursor's AI introduces into your codebase.

How is ShipSafe different?

The tool that built your app can't independently vouch for it, and a code-only scanner can't see what's exposed on the live internet. ShipSafe is the independent verifier: it reads your code and probes your deployed app from the outside, proving leaked keys that still work, database tables and storage readable by anyone, and IDOR across two real accounts, with the receipt. It is specifically tuned for the patterns Cursor, Lovable, and Bolt generate.

What is CVE-2026-26268?

A high-severity arbitrary code execution vulnerability in Cursor IDE. When the Cursor agent autonomously runs git operations inside a repository it doesn't control, an attacker-placed pre-commit hook fires automatically. The impact is auto-approved code execution on the developer's machine triggered by ordinary use of the IDE on a cloned repo.

Is this a Cursor bug or a Git bug?

Technically it's a feature interaction. Git's hook system has always run hooks installed in the repo's .git/hooks directory. That's by design for solo use. But when an AI agent autonomously runs git commands inside a repo the user just cloned, the security context flips — the user hasn't reviewed the hooks, but the agent triggers them anyway. Cursor's part of the fix is to refuse to run git commands in repos with non-empty .git/hooks until the user approves.

How is this different from CVE-2026-22708 or CVE-2025-59944?

All three Cursor CVEs disclosed in 2026 share a theme — agent autonomy outrunning the IDE's safety checks. CVE-2026-22708 is the shell built-in allowlist bypass (export, unset etc. skip the allowlist). CVE-2025-59944 is the case-sensitive filename bypass. CVE-2026-26268 is the git hook trap. Three different protection layers, three different ways the agent bypassed them.

What should I do right now?

Update Cursor past the patched version. Then check your habits: when you clone a new repo and immediately open it in Cursor, the agent may have already done something before you reviewed the code. Adopt the rule: open, manually inspect .git/hooks AND any .cursor/rules content, THEN start the agent. ShipSafe's ai-agent/cursor-auto-run-enabled rule flags repos where this guardrail has been turned off.

All posts

CursorCVEGitSecurity

Cursor's Git Hook Trap: One Clone, Full RCE (CVE-2026-26268)

An AI agent clones a repo. The agent runs git commit. A pre-commit hook the attacker placed fires with full developer privileges. No prompt, no click. This is CVE-2026-26268. Here's the fix.

May 17, 20266 min read

You clone an interesting open-source repo someone linked on Twitter. You open it in Cursor. You tell the agent: "summarize this codebase." The agent reads files, makes notes, then — being helpful — commits its notes to a scratch branch. The repo had a pre-commit hook. The hook ran. The hook was malicious.

That's CVE-2026-26268 in a sentence. High severity. Arbitrary code execution. Triggered by ordinary use of the IDE on a repo you don't control.

The bug isn't subtle. The lesson is.

1. What actually happens

Step by step:

Attacker publishes a repo. It looks like a useful tool, a tutorial, a model card — whatever. Inside is a normal project plus a populated .git/hooks/pre-commit file. (Note: git hooks are technically not shared by default through git clone — the attack variants either use core.hooksPath pointed at a tracked directory, or use embedded sub-repositories with their own .git directories.)
You clone, you open in Cursor. Cursor indexes the codebase. Agent mode is on.
You ask the agent to do something useful. "Summarize this." "Run the tests." "Try fixing the README typo." Anything that has the agent run git add,git commit,git rebase, or anything that triggers a hook.
The hook fires. Pre-commit hooks run as your user, with your environment. They can read ~/.aws/credentials,~/.ssh/id_rsa, your shell history, anything you can read.

You did not approve anything. The agent did not prompt you. The IDE didn't warn you. Cursor's allowlist doesn't see hook execution as a separate event — it just sees git commit, which it has approved.

2. Why this was always going to bite

Git hooks have lived in .git/hooks/ since git was invented in 2005. The threat model has always been: hooks are local. You install hooks yourself. If a hook runs, you put it there.

That threat model survived 20 years of human developers. It broke the instant an agent started running git commands autonomously on repos the user hadn't manually reviewed.

This is a recurring shape across all the 2026 AI-tool CVEs: features that were safe under the assumption "the human is reading every file before acting on it" became dangerous when an agent started acting first. The hook is the same hook. The trust context changed.

3. Cursor 2026 — three CVEs, one theme

CVE-2026-26268 isn't alone. Cursor disclosed three CVEs in the first half of 2026, all of them variations on "the agent moved faster than the safety check":

CVE-2026-22708 — Allowlist shell-builtin bypass

In Auto-Run Mode with Allowlist enabled, shell built-ins like export, unset, set aren't checked against the allowlist. Modify the environment, then run a trusted command — it runs with your malicious env.

CVE-2025-59944 — Case-sensitive bypass

Sensitive filename checks were case-sensitive while macOS/Windows filesystems are case-insensitive. .Cursor/MCP.JSON skipped the confirmation prompt; the OS still loaded the file as .cursor/mcp.json.

CVE-2026-26268 — Git hook RCE

The hook trap covered in this post.

Each of these is patched. The class isn't. As long as IDEs add agent autonomy faster than they add corresponding safety checks, the next CVE is already incubating.

4. A 60-second per-repo audit

Run this in any freshly cloned repo before you open it in Cursor:

# 1. List git hooks (real-world: most repos have none)
ls -la .git/hooks/ | grep -v "\.sample$"

# 2. Check for custom hooks path pointed at tracked files
git config --get core.hooksPath

# 3. Sub-repos with their own .git/hooks
find . -mindepth 2 -name "hooks" -path "*/.git/*"

# 4. Cursor rules — any invisible Unicode?
ls .cursor/rules/*.mdc .cursorrules 2>/dev/null
perl -CSDA -ne 'print "$ARGV:$.\n" if /[\x{200B}-\x{200F}\x{E0000}-\x{E007F}]/' \
  .cursor/rules/*.mdc .cursorrules 2>/dev/null

# 5. MCP config — any shell-command servers?
cat .cursor/mcp.json 2>/dev/null

Anything that returns content you can't explain is the line where you stop and read before letting the agent touch anything.

5. Fixes — patch, posture, scanner

Patch: update Cursor to the patched version. The fix refuses to run git commands inside a repo with non-empty .git/hooks/ or a non-default core.hooksPath until you approve.

Posture: change your default flow when opening unfamiliar repos.

Clone, then run the 60-second audit above.
Open in Cursor with agent mode OFF.
Skim the codebase yourself.
Turn agent mode on only after you're satisfied the repo's config and hooks are safe.

Scanner: ShipSafe ships rules for:

ai-agent/cursor-auto-run-enabled — flags repos where Auto-Run / YOLO mode is on.
ai-agent/agent-allowlist-disabled — flags repos that disable the allowlist.
llm/agent-writes-to-git-hooks — flags code in your own app that writes to .git/hooks/ based on agent or external input (the application-side variant of this attack).

The bottom line

CVE-2026-26268 is a patched bug in a specific IDE. It's also a preview of every agent-autonomy-vs-trust-context CVE that hasn't been written yet. Whenever an agent can act faster than a human can review, the old assumptions about "this is safe because a developer wouldn't do that" get reset.

See also: Cursor Security Risks for the 2025 baseline.

Is your app cooked?

Paste your GitHub URL. 2 minutes. We'll tell you exactly what AI missed — free, no card.

Scan My App Free