The cursor hooks did not execute as expected

Where does the bug appear (feature/product)?

Cursor IDE
Cursor CLI
Background Agent (GitHub, Slack, Web, Linear)
BugBot
Somewhere else…

Describe the Bug

The cursor hooks did not execute as expected

Steps to Reproduce
How can you reproduce this bug? We have a much better chance at fixing issues if we can reproduce them!
I wrote two hooks, beforeMCPExecution and beforeShellExecution.

the first one is allow all mcp tools starts with yapi_.
the second one is when agent execution dangerous command will ask user.

Expected Behavior
However, in “ask everything” mode, the first hook still prompts me before execution; in “use allow-list” mode, it also keeps prompting me; only in “run everything” does it execute by default without prompting.

But in the second hook, when I write commands like rm, it prompts me before execution, but in “run everything,” it still executes by default.

Screenshots / Screen Recordings

image1242×836 71.3 KB

image1196×994 98.6 KB

Operating System

Windows 10/11
MacOS
Linux

Version Information

Version: 2.7.0-pre.113.patch.0 (Universal)
VSCode Version: 1.105.1
Commit: 6f6ca294486449fb5e8fbae6c138d459ae95dd10
Date: 2026-03-22T08:13:33.045Z
Build Type: Stable
Release Track: Nightly
Electron: 39.8.1
Chromium: 142.0.7444.265
Node.js: 22.22.1
V8: 14.2.231.22-electron.0
OS: Darwin arm64 25.3.0

For AI issues: which model did you use?
composer2 & claude opus 4.6

For AI issues: add Request ID with privacy disabled
Request ID: 907990b4-2169-4f02-96ad-b49cd74f620a

Additional Information
Add any other context about the problem here.

Does this stop you from using Cursor?

• No - Cursor works, but with this issue

Hi there!

We detected that this may be a bug report, so we’ve moved your post to the Bug Reports category.

To help us investigate and fix this faster, could you edit your original post to include the details from the template below?

IDE:
Version: 2.xx.x
VSCode Version: 1.105.1
Commit: ......

CLI:
CLI Version 2026.01.17-d239e66

The more details you provide, the easier it is for us to reproduce and fix the issue. Thanks!

Hey, this is a known bug. Right now hooks only enforce the deny permission. Both allow and ask are basically ignored.

What’s happening in your case:

Hook 1 beforeMCPExecution, allow for yapi_ tools: Returning allow from a hook does not override Cursor’s MCP approval system. The two permission paths, hooks and the built-in MCP approval flow, are separate. So your approval mode, like ask everything or use allow-list, still applies no matter what the hook returns.

Hook 2 beforeShellExecution, ask for dangerous commands: The ask permission is not enforced for shell execution. In run everything mode the command runs and ignores the ask response from your hook.

Workarounds:

• For MCP auto-approval: add the yapi_ tools to the MCP allowlist in Cursor Settings instead of relying on hooks.
• For blocking dangerous commands: use deny instead of ask. It’s the only permission that works reliably right now.

Same issue reported in several threads:

• Hook ASK output not stopping agent
• Hooks return ALLOW but MCP tool still requires manual approval / gets skipped

The team is aware of this. No ETA yet, but your report helps with prioritization.