Skip to main content

Cursor CVE-2026-50549

| EUVDEUVD-2026-39536 CRITICAL
Improper Link Resolution Before File Access (CWE-59)
2026-06-25 GitHub_M
9.3
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
10.0 CRITICAL

Malicious agent input can be delivered remotely (AV:N) and the bypass is deterministic (AC:L, PR:N, UI:N); escaping the sandbox to compromise the host is a scope change (S:C) with full C/I/A loss.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 25, 2026 - 20:03 EUVD
Analysis Generated
Jun 25, 2026 - 19:16 vuln.today

DescriptionCVE.org

Cursor is a code editor built for programming with AI. Prior to 3.0, Cursor runs agent terminal commands in a sandbox by default. Before a Write, the agent canonicalizes the target path to confirm it stays inside the workspace, but when canonicalization fails it falls back to the original path and writes without approval. A malicious agent can create an in-workspace symlink that points outside the workspace and force canonicalization to fail - either because the target does not exist or because read permission is removed from the path - so the agent writes through the symlink to an arbitrary location without approval. A malicious agent could write arbitrary files outside the workspace under the user's privileges. This enables non-sandboxed Remote Code Execution - for example by overwriting the cursorsandbox helper so later commands run unsandboxed - with no user interaction beyond a benign prompt. This vulnerability is fixed in 3.0.

AnalysisAI

Sandbox escape leading to non-sandboxed remote code execution in Cursor (the AI code editor) prior to version 3.0, where a malicious agent can write files outside the protected workspace. Cursor canonicalizes a Write target to confirm it stays in-workspace, but when canonicalization fails it insecurely falls back to the raw path and writes without approval; an agent can deliberately force this failure via an in-workspace symlink pointing outside the workspace (target missing or read permission stripped) to write arbitrary files under the user's privileges. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Plant prompt-injection in repo content
Delivery
Agent creates out-of-workspace symlink
Exploit
Force canonicalization to fail
Install
Write through symlink, bypass approval
C2
Overwrite cursorsandbox helper
Execute
Next command runs unsandboxed
Impact
Arbitrary code execution as user

Vulnerability AssessmentAI

Exploitation Exploitation requires Cursor prior to 3.0 running its default agent terminal sandbox, and requires the AI agent to be influenced to act maliciously (e.g., via prompt injection in repository/content the agent processes) - the description's 'malicious agent' is the core prerequisite. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent on high severity: the vendor CVSS 4.0 base score is 9.3 with vector AV:N/AC:L/AT:N/PR:N/UI:N and high confidentiality, integrity, and availability impact, reflecting a reliable, low-complexity bypass that needs no special attack requirements. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A developer asks Cursor's agent to work on a repository that contains attacker-planted prompt-injection content; acting on it, the agent creates an in-workspace symlink pointing outside the workspace and ensures canonicalization fails (target absent or read permission removed). The agent then issues a Write through the symlink - bypassing approval - to overwrite the cursorsandbox helper, so the next agent terminal command executes unsandboxed on the host under the user's privileges. …
Remediation Upgrade to Cursor 3.0 or later, which fixes the canonicalization fail-open behavior - this is the primary and vendor-confirmed remediation (Vendor-released patch: 3.0), documented in advisory GHSA-3v8f-48vw-3mjx (https://github.com/cursor/cursor/security/advisories/GHSA-3v8f-48vw-3mjx). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Cursor deployments and identify vulnerable versions (prior to 3.0); brief development leadership and security team on the RCE risk. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Cursor

View all
CVE-2026-22708 CRITICAL
9.8 Jan 14

Cursor AI code editor before 2.3 allows prompt injection to bypass the Agent's Allowlist mode. Shell built-ins can execu

CVE-2026-50548 CRITICAL
9.3 Jun 25

Sandbox escape leading to non-sandboxed remote code execution affects the Cursor AI code editor prior to version 3.0, wh

CVE-2025-61592 HIGH
8.8 Oct 03

Cursor is a code editor built for programming with AI. In versions 1.7 and below, automatic loading of project-specific

CVE-2025-61591 HIGH
8.8 Oct 03

Cursor is a code editor built for programming with AI. In versions 1.7 and below, when MCP uses OAuth authentication wit

CVE-2026-31854 HIGH
8.8 Mar 11

Cursor is a code editor built for programming with AI. versions up to 2.0 is affected by os command injection.

CVE-2026-48124 HIGH
8.5 Jun 15

Unauthorized hook command execution in Cursor Desktop versions prior to 3.0.0 allows a malicious workspace to silently r

CVE-2025-59944 HIGH
8.0 Oct 03

Cursor is a code editor built for programming with AI. Versions 1.6.23 and below contain case-sensitive checks in the wa

CVE-2026-26268 HIGH
8.0 Feb 13

Cursor versions before 2.5 allow sandbox escape through improper .git configuration file protections, enabling malicious

CVE-2026-61613 HIGH
7.7 Jul 15

Server-side request forgery leading to code execution in Cursor's browser-enabled Cloud Agent lets attacker-controlled w

CVE-2025-61590 HIGH
7.5 Oct 03

Cursor is a code editor built for programming with AI. Versions 1.6 and below are vulnerable to Remote Code Execution (R

CVE-2025-61593 HIGH
7.1 Oct 03

Cursor is a code editor built for programming with AI. In versions 1.7 and below, a vulnerability in the way Cursor CLI

CVE-2025-61589 MEDIUM
5.9 Oct 03

Cursor is a code editor built for programming with AI. In versions 1.6 and below, Mermaid (a to render diagrams) allows

Share

CVE-2026-50549 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy