CVE-2026-48124
Deferred Deferred - Pending Action

Cursor Desktop Command Execution via Unapproved Workspace Hooks

Vulnerability report for CVE-2026-48124, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: GitHub, Inc.

Description

Cursor is a code editor built for programming with AI. In versions prior to 3.0.0, the Cursor Desktop could execute workspace-defined Claude hook commands from .claude/settings.local.json without dedicated user approval. A malicious workspace or agent-created file could configure hooks that run local commands in the user's context when an agent turn ends. This could allow sandbox escape, persistence across turns, local data access, or follow-on compromise. This issue has been fixed in version 3.0.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-07-06
AI Q&A
2026-06-16
EPSS Evaluated
2026-07-04
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
cursor cursor to 3.0.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows execution of local commands without user approval, potentially leading to sandbox escape, persistence, local data access, or follow-on compromise. This can result in high confidentiality, integrity, and availability loss for the affected system.

Such impacts could affect compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity. Unauthorized local data access and potential compromise could lead to violations of data protection and privacy requirements.

Updating to Cursor Desktop version 3.0.0 or later, which enforces user approval and execution policy controls for workspace-sourced hook commands, is necessary to mitigate these risks and maintain compliance.

Executive Summary

This vulnerability affects Cursor, a code editor built for programming with AI, in versions prior to 3.0.0. The Cursor Desktop could execute workspace-defined Claude hook commands from a configuration file (.claude/settings.local.json) without requiring explicit user approval. A malicious workspace or file created by an agent could configure hooks that run local commands in the user's context when an agent turn ends.

This behavior could allow an attacker to escape the sandbox environment, maintain persistence across agent turns, access local data, or perform further compromise on the affected system.

The issue has been fixed in version 3.0.0 of Cursor.

Impact Analysis

This vulnerability can have serious impacts including allowing an attacker to execute arbitrary local commands on your system without your explicit consent.

Potential impacts include sandbox escape, which means the attacker can break out of restricted environments, persistence across agent turns, unauthorized access to local data, and further compromise of your system.

Mitigation Strategies

To mitigate this vulnerability, upgrade Cursor Desktop to version 3.0.0 or later, where the issue has been fixed.

Detection Guidance

This vulnerability involves the execution of workspace-defined Claude hook commands from the file .claude/settings.local.json without user approval in Cursor Desktop versions prior to 3.0.0.

To detect if your system is vulnerable, you can check for the presence of the .claude/settings.local.json file in your workspace directories and inspect it for any suspicious or unexpected hook commands.

Suggested commands to help detect potential exploitation or presence of malicious hooks include:

  • Find .claude/settings.local.json files in your workspace directories: find /path/to/workspace -name settings.local.json
  • Review the contents of these files for unexpected commands: cat /path/to/workspace/.claude/settings.local.json
  • Monitor for unexpected command executions or processes spawned by Cursor Desktop, for example using system process monitoring tools like: ps aux | grep cursor
  • Check recent file modifications to .claude/settings.local.json to identify recent changes: find /path/to/workspace/.claude -name settings.local.json -exec stat {} \;

Ultimately, the recommended mitigation is to update Cursor Desktop to version 3.0.0 or later, where hook commands require explicit user approval and follow execution policy controls.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48124. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart