Cursor's CVE-2026-26268, Claude Code's Dynamic Workflows, and Why Google Antigravity's Launch Was a Mess

May was a big month. Too big, arguably. Let me just talk about the things I actually care about.

Update Cursor. Do It Now.

I’ll lead with this because it’s the most urgent thing in the notes: CVE-2026-26268, rated 9.9 critical by NVD, affected Cursor versions prior to 2.5. The attack surface is uncomfortable to think about. Clone a malicious repository, let the AI agent start doing its autonomous Git thing, and you’ve potentially handed an attacker code execution on your machine.

The patch is in Cursor 3.5, which shipped on 20 May. If you haven’t updated, do that before you read the rest of this.

What makes this one stick with me is the mechanism. It’s not a traditional software vulnerability in the obvious sense. It’s a feature interaction: Git does something it’s always done, an AI agent operates autonomously the way it’s designed to, and the combination creates an exploit path. The folks at Repello AI have documented that Cursor has shipped 11-plus CVEs and named vulnerabilities in the 2025-2026 window, and that the architectural patterns producing them keep recurring. Each patch closes a hole; none of them change the shape of the building.

I use Cursor daily. I think Composer 2.5 is genuinely good, the Jira integration is the kind of practical thing that saves actual time, and Build in Parallel is worth trialling. But I’d be doing you a disservice if I led with the shiny stuff and buried the security picture at the bottom.

Claude Code’s Dynamic Workflows Are the Real Story This Month

Opus 4.8 shipped as the new default in Claude Code in the final week of May, and the model itself is fine. A hotfix was needed for thinking block corruption shortly after launch, which is the kind of thing that makes you want to wait a week before running it on anything mission-critical. Noted.

But the feature I keep thinking about is dynamic workflows. Previously, if you wanted to spin up parallel agent tasks, you were writing SDK code or doing explicit orchestration setup. Now you describe what you want and Claude builds and executes the workflow itself, with /workflows giving you a single view of what’s running, what’s blocked, and what’s done. Combined with /goal keeping Claude working across turns until a specified completion condition is met, the product is clearly moving toward sessions where you set the destination and check in occasionally rather than holding the wheel the whole time.

I have mixed feelings about this, which I’ll try to articulate honestly. On one hand, this is the thing I actually wanted: less overhead, more delegation. On the other hand, I’ve spent enough time watching Claude confidently do the wrong thing at speed to be wary of reducing the checkpoints. The /code-review command for correctness bugs and the claude agents view that shows every running session are the right instincts. Whether the safety checks keep pace with the autonomy is the question I don’t have an answer to yet.

The /effort xhigh default on the hardest tasks, and Opus 4.8 fast mode priced at 2x standard for 2.5x speed, at least makes the cost-quality tradeoff legible. That’s more than most tools give you.

MCP Tunnels Are Quietly Important

Announced at Code with Claude London on 19 May: self-hosted sandboxes and MCP tunnels for Claude Managed Agents. The architecture is sensible. The agent loop stays on Anthropic infrastructure; tool execution and private MCP server access move inside your perimeter. A lightweight gateway makes a single outbound connection, no inbound firewall rules, no public endpoints.

For anyone who’s been avoiding connecting Claude agents to internal services because of the exposure requirement, this changes the calculus. Private development databases, internal APIs, regulated data that can’t leave the building: these are now in scope in a way they weren’t before.

The caveats are real though. Not yet available on Claude Platform on AWS. Memory not supported in self-hosted sessions. The MCP tunnels documentation carries explicit “as-is” language and it’s a research preview, not a production commitment. I’ve put in for access and I’m treating it as an early programme, not something to build a production dependency on yet.

The MCP 2026-07-28 release candidate also locked in May, with the most consequential change being that MCP is now stateless at the protocol layer. If you maintain MCP servers and your client code matches on the literal -32002 error code, that’s changing to -32602. Worth checking before July.

Google Antigravity 2.0: Real Ambition, Rough Execution

The I/O demo was impressive in the way that demo-driven companies are often impressive: 93 parallel sub-agents, 2.6 billion tokens, a working OS core for under a thousand dollars in API credits. That’s a real number and a real result.

The launch itself was a mess. The automatic rollout converted an AI code editor into a five-component agent orchestration platform, removed the traditional IDE without warning, and broke developer environments. The IDE still exists but requires a separate download now. Community reaction on launch day was, predictably, not warm.

I understand what Google is building here. The benchmark split between Antigravity and Claude Code is clarifying: Claude Code leads on raw code quality, Antigravity leads on tool-orchestration-heavy tasks. These are different jobs. If you have a giant codebase and want cheap wide scans or batch multimodal tasks, Gemini and Antigravity make sense. For the main interactive loop and production work, I’m staying on Claude Code.

The migration deadline is not optional: Gemini CLI stops serving Free, Pro, and Ultra tiers on June 18. If you have CI/CD pipelines or scripts calling the gemini binary, that migration is urgent right now, not a “this month” item.

I’m keeping an eye on Antigravity’s SDK for the multi-agent harness. The MCP Atlas benchmark lead is real. But community trust after a rollout that broke people’s environments takes more than one release cycle to rebuild. I’m not committing workflow time to it until I see how the next release lands.

One thing I keep sitting with after a month like this: the security surface of agentic tooling is growing faster than the security practice around it. The NSA published an MCP security advisory in May. Cursor shipped a 9.9 CVE. The Claude Code security plugin is free and worth installing immediately, but it’s a plugin. The NSA being involved in advisories about coding agent protocols is a new kind of sentence to read.

I don’t think this means stop using the tools. I think it means the “move fast” phase of agentic coding is bumping into consequences that are going to require some actual discipline. What that looks like in practice, I’m still figuring out.