Skip to main content

Cursor CVE-2026-48124

| EUVDEUVD-2026-37002 HIGH
Inclusion of Functionality from Untrusted Control Sphere (CWE-829)
2026-06-15 GitHub_M
8.5
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.8 HIGH

Malicious workspace file must reach the host (AV:L); no Cursor authentication needed (PR:N); victim must open the workspace and run an agent turn (UI:R); arbitrary local command execution yields full CIA on the user account.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jun 15, 2026 - 22:32 EUVD
Analysis Generated
Jun 15, 2026 - 21:52 vuln.today

DescriptionCVE.org

Cursor is a code editor built for programming with AI. In versions prior to 3.0.0, the Cursor Desktop could execute workspace-defined Claude hook commands from .claude/settings.local.json without dedicated user approval. A malicious workspace or agent-created file could configure hooks that run local commands in the user's context when an agent turn ends. This could allow sandbox escape, persistence across turns, local data access, or follow-on compromise. This issue has been fixed in version 3.0.0.

AnalysisAI

Unauthorized hook command execution in Cursor Desktop versions prior to 3.0.0 allows a malicious workspace to silently run local commands by registering Claude hooks in .claude/settings.local.json without prompting the user for approval. The flaw, tracked under CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), enables sandbox escape, persistence, and follow-on compromise the moment an agent turn completes. No public exploit identified at time of analysis, but the vendor advisory GHSA-pc9j-3qc2-95wv confirms the issue and the CVSS 4.0 base score of 8.5 (High) reflects full CIA impact on the victim's workstation.

Technical ContextAI

Cursor is an AI-assisted code editor that embeds Anthropic's Claude agent and honors a project-scoped configuration file, .claude/settings.local.json, which can define hooks - shell commands that fire on agent lifecycle events such as the end of a turn. The CWE-829 root cause is that Cursor treated workspace-supplied hook definitions as trusted control input despite the workspace being attacker-controllable (a cloned repo, an agent-generated file, or a shared project folder). Per the CPE cpe:2.3:a:cursor:cursor:*:*:*:*:*:*:*:* the issue is product-wide across all Cursor builds before 3.0.0, regardless of host OS, because the hook-loading logic lacked a dedicated consent gate equivalent to the prompts used for other privileged actions.

RemediationAI

Vendor-released patch: Cursor 3.0.0 - upgrade immediately, since this is the authoritative fix called out in GHSA-pc9j-3qc2-95wv (https://github.com/cursor/cursor/security/advisories/GHSA-pc9j-3qc2-95wv). If an immediate upgrade is not possible, compensating controls include refusing to open untrusted repositories in Cursor and auditing or removing any committed .claude/settings.local.json from cloned projects before launching an agent turn (trade-off: developers lose legitimate per-project hook customization), and constraining the editor process with OS-level sandboxing such as macOS App Sandbox profiles or Linux user namespaces to limit what a triggered hook can touch (trade-off: may break tooling that relies on broad filesystem access). Organizations should also disallow agent runs on freshly cloned repositories until a manual review of any .claude/ directory has been performed.

More in Cursor

View all
CVE-2026-22708 CRITICAL
9.8 Jan 14

Cursor AI code editor before 2.3 allows prompt injection to bypass the Agent's Allowlist mode. Shell built-ins can execu

CVE-2026-50549 CRITICAL
9.3 Jun 25

Sandbox escape leading to non-sandboxed remote code execution in Cursor (the AI code editor) prior to version 3.0, where

CVE-2026-50548 CRITICAL
9.3 Jun 25

Sandbox escape leading to non-sandboxed remote code execution affects the Cursor AI code editor prior to version 3.0, wh

CVE-2025-61592 HIGH
8.8 Oct 03

Cursor is a code editor built for programming with AI. In versions 1.7 and below, automatic loading of project-specific

CVE-2025-61591 HIGH
8.8 Oct 03

Cursor is a code editor built for programming with AI. In versions 1.7 and below, when MCP uses OAuth authentication wit

CVE-2026-31854 HIGH
8.8 Mar 11

Cursor is a code editor built for programming with AI. versions up to 2.0 is affected by os command injection.

CVE-2025-59944 HIGH
8.0 Oct 03

Cursor is a code editor built for programming with AI. Versions 1.6.23 and below contain case-sensitive checks in the wa

CVE-2026-26268 HIGH
8.0 Feb 13

Cursor versions before 2.5 allow sandbox escape through improper .git configuration file protections, enabling malicious

CVE-2026-61613 HIGH
7.7 Jul 15

Server-side request forgery leading to code execution in Cursor's browser-enabled Cloud Agent lets attacker-controlled w

CVE-2025-61590 HIGH
7.5 Oct 03

Cursor is a code editor built for programming with AI. Versions 1.6 and below are vulnerable to Remote Code Execution (R

CVE-2025-61593 HIGH
7.1 Oct 03

Cursor is a code editor built for programming with AI. In versions 1.7 and below, a vulnerability in the way Cursor CLI

CVE-2025-61589 MEDIUM
5.9 Oct 03

Cursor is a code editor built for programming with AI. In versions 1.6 and below, Mermaid (a to render diagrams) allows

Share

CVE-2026-48124 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy