Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Malicious workspace file must reach the host (AV:L); no Cursor authentication needed (PR:N); victim must open the workspace and run an agent turn (UI:R); arbitrary local command execution yields full CIA on the user account.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Cursor is a code editor built for programming with AI. In versions prior to 3.0.0, the Cursor Desktop could execute workspace-defined Claude hook commands from .claude/settings.local.json without dedicated user approval. A malicious workspace or agent-created file could configure hooks that run local commands in the user's context when an agent turn ends. This could allow sandbox escape, persistence across turns, local data access, or follow-on compromise. This issue has been fixed in version 3.0.0.
AnalysisAI
Unauthorized hook command execution in Cursor Desktop versions prior to 3.0.0 allows a malicious workspace to silently run local commands by registering Claude hooks in .claude/settings.local.json without prompting the user for approval. The flaw, tracked under CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), enables sandbox escape, persistence, and follow-on compromise the moment an agent turn completes. No public exploit identified at time of analysis, but the vendor advisory GHSA-pc9j-3qc2-95wv confirms the issue and the CVSS 4.0 base score of 8.5 (High) reflects full CIA impact on the victim's workstation.
Technical ContextAI
Cursor is an AI-assisted code editor that embeds Anthropic's Claude agent and honors a project-scoped configuration file, .claude/settings.local.json, which can define hooks - shell commands that fire on agent lifecycle events such as the end of a turn. The CWE-829 root cause is that Cursor treated workspace-supplied hook definitions as trusted control input despite the workspace being attacker-controllable (a cloned repo, an agent-generated file, or a shared project folder). Per the CPE cpe:2.3:a:cursor:cursor:*:*:*:*:*:*:*:* the issue is product-wide across all Cursor builds before 3.0.0, regardless of host OS, because the hook-loading logic lacked a dedicated consent gate equivalent to the prompts used for other privileged actions.
RemediationAI
Vendor-released patch: Cursor 3.0.0 - upgrade immediately, since this is the authoritative fix called out in GHSA-pc9j-3qc2-95wv (https://github.com/cursor/cursor/security/advisories/GHSA-pc9j-3qc2-95wv). If an immediate upgrade is not possible, compensating controls include refusing to open untrusted repositories in Cursor and auditing or removing any committed .claude/settings.local.json from cloned projects before launching an agent turn (trade-off: developers lose legitimate per-project hook customization), and constraining the editor process with OS-level sandboxing such as macOS App Sandbox profiles or Linux user namespaces to limit what a triggered hook can touch (trade-off: may break tooling that relies on broad filesystem access). Organizations should also disallow agent runs on freshly cloned repositories until a manual review of any .claude/ directory has been performed.
Cursor AI code editor before 2.3 allows prompt injection to bypass the Agent's Allowlist mode. Shell built-ins can execu
Sandbox escape leading to non-sandboxed remote code execution in Cursor (the AI code editor) prior to version 3.0, where
Sandbox escape leading to non-sandboxed remote code execution affects the Cursor AI code editor prior to version 3.0, wh
Cursor is a code editor built for programming with AI. In versions 1.7 and below, automatic loading of project-specific
Cursor is a code editor built for programming with AI. In versions 1.7 and below, when MCP uses OAuth authentication wit
Cursor is a code editor built for programming with AI. versions up to 2.0 is affected by os command injection.
Cursor is a code editor built for programming with AI. Versions 1.6.23 and below contain case-sensitive checks in the wa
Cursor versions before 2.5 allow sandbox escape through improper .git configuration file protections, enabling malicious
Server-side request forgery leading to code execution in Cursor's browser-enabled Cloud Agent lets attacker-controlled w
Cursor is a code editor built for programming with AI. Versions 1.6 and below are vulnerable to Remote Code Execution (R
Cursor is a code editor built for programming with AI. In versions 1.7 and below, a vulnerability in the way Cursor CLI
Cursor is a code editor built for programming with AI. In versions 1.6 and below, Mermaid (a to render diagrams) allows
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37002