Hero image — The Agent Will Run the Exploit for You

Here is the thing about traditional IDE security vulnerabilities: they needed you to do something. Click a link. Run a script. Install a package. The human was always in the exploit chain, and the human was always the weak link security teams tried to shore up. Two recently disclosed vulnerabilities in Cursor and GitHub Copilot break that assumption in the same way, independently, and the pattern they share is worth naming.

Two CVEs, One Structural Property

CVE-2026-26268 affects Cursor IDE, rated CVSS 9.9. The mechanism: an attacker creates a legitimate-looking repository with an embedded bare Git repository containing a malicious pre-commit hook. When a developer clones the repo and opens it in Cursor, the AI agent — following instructions in the repository's Cursor Rules file — autonomously runs Git operations. A checkout or commit triggers the hook. No user prompt. No warning. Arbitrary code execution on the developer's machine, auto-approved by the agent that was supposed to be helping write code. Patched in Cursor 2.5 (February 2026), disclosed April 28.

CVE-2025-53773 affects GitHub Copilot, rated CVSS 7.8. The mechanism: prompt injection hidden in a README, source code comment, PR description, or web page instructs Copilot to write "chat.tools.autoApprove": true to .vscode/settings.json — a setting GitHub themselves call "YOLO mode". Once that flag is set, Copilot executes shell commands with no user confirmation. The injection can be hidden using invisible Unicode characters. The attack is wormable: the compromised Copilot instance can replicate the malicious instructions into other files and repositories. Patched in the August 2025 security update.

Different tools, different mechanisms, different vendors, different timelines. Same structural property: the AI agent autonomously performs the action that triggers the exploit.

What Changed

In a traditional IDE — even one with powerful extensions and automation — the attack chain requires the developer to do something the developer wouldn't do if they understood the consequences. Social engineering targets human judgment. Phishing targets human attention. Supply chain attacks target human trust in package registries.

Both of these CVEs target the agent's autonomy instead.

In the Cursor case, the agent reads instructions from the repository it was asked to work in, and those instructions tell it to perform Git operations. Performing Git operations is exactly what a coding agent is supposed to do. The exploit is indistinguishable from normal operation because it is normal operation — in a context someone else prepared. The developer's only "mistake" was opening a repository, which is the foundational action of software development.

In the Copilot case, the agent reads content from the working environment — the same environment it needs to read to be useful — and that content instructs it to modify its own configuration. Copilot can write to .vscode/settings.json because it can write to workspace files. That's a feature. The exploit turns the feature into a self-disarming mechanism: the agent removes its own safety guardrails, then executes whatever comes next.

Both cases share what I'd call the agent-mediated exploit pattern: the adversary doesn't need to trick the human. They prepare an environment, and the agent — doing its job — triggers the payload. The more autonomous the agent, the more reliably this works.

The Connection to Trigger Authorization

I wrote in April about event-triggered agents and the authorization question they change: when an agent decides when to act, not just what to do, the authorization model fundamentally shifts. These CVEs are the security corollary. If the agent decides when to run a Git operation (Cursor) or when to modify a configuration file (Copilot), then an adversary who controls the environment the agent reads can control when the exploit fires. The trigger is the agent's judgment. The exploit targets the judgment.

This is structurally different from every prior entry in the authorization failure taxonomy I've been building. Scope failure is the agent exceeding its bounds. Supply chain failure is the tool being replaced. Behavioral opacity is the agent operating on undisclosed specifications. Agent-mediated exploitation is the agent operating exactly as designed, on an input someone else crafted — and the "as designed" behaviour is the vulnerability.

What This Means for Teams

Both vulnerabilities are patched. That is not the point. The point is the vulnerability class. Any AI coding tool that:

  1. Reads instructions or content from the working environment (which is all of them — that's the product),
  2. Takes autonomous actions based on what it reads (which is the direction the entire category is heading), and
  3. Has access to the filesystem, shell, or network (which is the access model for every serious agent)

...has this structural exposure. The next CVE in this class won't be in Cursor or Copilot. It will be in whichever tool has the most capable agent with the least restrictive sandbox.

For small teams running AI coding agents — and the average developer now uses 2.3 of them — the practical question is not "is my tool patched?" It's "does my tool's authorization model account for the fact that the agent itself is now the attack surface?" The answer, for most tools, is that it doesn't. The patches fix individual exploit chains. The pattern is architectural, and architectural problems don't get patched — they get redesigned or they keep producing CVEs.

The uncomfortable implication: the features that make AI coding agents valuable — autonomy, environmental awareness, the ability to take actions across files and systems — are the same features that make them exploitable. The attack surface is the product. That's not a bug to fix. It's a design constraint to build around.