CVE-2026-50548
Undergoing Analysis Undergoing Analysis - In Progress
Agent Sandbox Escape in Cursor Code Editor Prior to 3.0

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
Cursor is a code editor built for programming with AI. Prior to 3.0, Cursor runs agent terminal commands in a sandbox by default, and the sandbox grants write access to the command's working directory. A flaw was identified in how the agent could modify the working_directory parameter, which could cause the sandbox to include writable paths outside the intended workspace. A malicious agent could set working_directory to a sensitive location and write arbitrary files outside the workspace under the user's privileges. This enables non-sandboxed Remote Code Execution β€” for example by overwriting the cursorsandbox helper so later commands run unsandboxed β€” with no user interaction beyond a benign prompt. This vulnerability is fixed in 3.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-50548
EUVD
EUVD-2026-39537
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
cursor cursor to 3.0 (inc)
cursor cursor to 3.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

The vulnerability exists in Cursor, a code editor designed for programming with AI, prior to version 3.0. Cursor runs agent terminal commands in a sandbox that grants write access to the command's working directory. However, there is a flaw in how the agent can modify the working_directory parameter, allowing the sandbox to include writable paths outside the intended workspace.

A malicious agent could exploit this flaw by setting the working_directory to a sensitive location outside the workspace and write arbitrary files there with the user's privileges. This can lead to non-sandboxed Remote Code Execution, for example by overwriting the cursorsandbox helper so that later commands run without sandbox restrictions, all without requiring any user interaction beyond a benign prompt.

This vulnerability was fixed in Cursor version 3.0.

Impact Analysis

This vulnerability can have severe impacts because it allows a malicious agent to execute arbitrary code outside the sandbox with the user's privileges without any user interaction beyond a benign prompt.

An attacker could overwrite important files or helpers like the cursorsandbox helper, enabling subsequent commands to run unsandboxed, potentially leading to full remote code execution on the affected system.

This could compromise the security and integrity of your system, leading to unauthorized access, data modification, or further exploitation.

Mitigation Strategies

The vulnerability is fixed in Cursor version 3.0. Immediate mitigation involves upgrading Cursor to version 3.0 or later to ensure the sandbox properly restricts writable paths and prevents unauthorized remote code execution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50548. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart