CVE-2026-50549
Undergoing Analysis Undergoing Analysis - In Progress
Agent-Controlled Symlink Bypass in Cursor Editor

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
Cursor is a code editor built for programming with AI. Prior to 3.0, Cursor runs agent terminal commands in a sandbox by default. Before a Write, the agent canonicalizes the target path to confirm it stays inside the workspace, but when canonicalization fails it falls back to the original path and writes without approval. A malicious agent can create an in-workspace symlink that points outside the workspace and force canonicalization to fail β€” either because the target does not exist or because read permission is removed from the path β€” so the agent writes through the symlink to an arbitrary location without approval. A malicious agent could write arbitrary files outside the workspace under the user's privileges. This enables non-sandboxed Remote Code Execution β€” for example by overwriting the cursorsandbox helper so later commands run unsandboxed β€” with no user interaction beyond a benign prompt. This vulnerability is fixed in 3.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-50549
EUVD
EUVD-2026-39536
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
cursor cursor to 3.0 (inc)
cursor cursor to 3.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

Cursor is a code editor designed for programming with AI. Before version 3.0, it runs agent terminal commands inside a sandbox by default. When the agent tries to write a file, it first attempts to canonicalize the target path to ensure the write stays within the workspace. However, if canonicalization fails, Cursor falls back to using the original path and writes the file without further approval.

A malicious agent can exploit this by creating a symbolic link (symlink) inside the workspace that points outside the workspace. This causes the canonicalization to failβ€”either because the target path does not exist or because read permissions are removed. As a result, the agent writes files through the symlink to arbitrary locations outside the workspace without approval.

This allows a malicious agent to write arbitrary files outside the workspace with the user's privileges, enabling non-sandboxed Remote Code Execution. For example, it could overwrite the cursorsandbox helper so that subsequent commands run without sandbox restrictions, all without requiring user interaction beyond a benign prompt. This vulnerability was fixed in version 3.0.

Impact Analysis

This vulnerability can have serious impacts because it allows a malicious agent to write arbitrary files outside the intended workspace with the user's privileges.

  • It enables non-sandboxed Remote Code Execution, meaning attackers can execute commands on your system without sandbox restrictions.
  • Attackers could overwrite critical helper files like the cursorsandbox helper, causing later commands to run unsandboxed.
  • All of this can happen without explicit user interaction beyond a benign prompt, making it stealthy and dangerous.
Mitigation Strategies

To mitigate this vulnerability, upgrade Cursor to version 3.0 or later, where the issue is fixed.

Avoid running untrusted agents or code that could create malicious symlinks within the workspace.

Detection Guidance

The vulnerability involves a malicious agent creating symlinks inside the workspace that point outside, causing canonicalization to fail and allowing unauthorized writes. Detection would involve checking for unexpected or suspicious symlinks within the Cursor workspace that point to locations outside the workspace.

You can use commands to find symlinks inside the workspace and verify their targets. For example, on a Unix-like system, you could run:

  • find /path/to/cursor/workspace -type l -exec ls -l {} \;

This command lists all symbolic links in the workspace and their targets. You should investigate any symlinks pointing outside the workspace directory.

Additionally, monitoring for unexpected file writes outside the workspace or changes to critical files like the cursorsandbox helper could indicate exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50549. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart