Description
Cursor is a code editor built for programming with AI. In versions prior to 3.0.0, the Cursor Desktop could execute workspace-defined Claude hook commands from .claude/settings.local.json without dedicated user approval. A malicious workspace or agent-created file could configure hooks that run local commands in the user's context when an agent turn ends. This could allow sandbox escape, persistence across turns, local data access, or follow-on compromise. This issue has been fixed in version 3.0.0.
Published: 2026-06-15
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cursor Desktop allowed workspace-defined Claude hook commands written in ".claude/settings.local.json" to be executed without user approval in versions before 3.0.0, creating a secondary code injection vector. This flaw permits an attacker to run arbitrary local commands in the user’s context when an AI agent turn ends, enabling sandbox escape, persistence across turns, and unauthorized access to local data. The underlying weaknesses are captured by CWE-829 (Privilege or Access Control Ignored) and CWE-94 (Code Injection).

Affected Systems

The vulnerable product is Cursor Desktop, a code editor built for programming with AI, from the vendor Cursor. All releases prior to version 3.0.0 are affected; no specific sub‑version details are supplied besides the general “< 3.0.0” scope.

Risk and Exploitability

The CVSS score of 8.5 classifies this vulnerability as high severity, while the EPSS indicates an exploitation probability of less than 1%. It is not listed in CISA’s KEV catalog. The likely attack vector is a malicious workspace or an agent-crafted configuration file that embeds harmful hooks; the attacker must supply or orchestrate the opening of such a workspace. Once the agent completes a turn, the embedded commands run in the user’s context, enabling local code execution and potential compromise of the system.

Generated by OpenCVE AI on June 16, 2026 at 21:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cursor Desktop to version 3.0.0 or later to apply the vendor fix
  • Remove or disable any .claude/settings.local.json hook configurations from workspaces before opening them
  • Verify that workspaces do not contain malicious hook definitions by inspecting or sanitizing the file prior to use

Generated by OpenCVE AI on June 16, 2026 at 21:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Cursor
Cursor cursor
Vendors & Products Cursor
Cursor cursor

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Cursor is a code editor built for programming with AI. In versions prior to 3.0.0, the Cursor Desktop could execute workspace-defined Claude hook commands from .claude/settings.local.json without dedicated user approval. A malicious workspace or agent-created file could configure hooks that run local commands in the user's context when an agent turn ends. This could allow sandbox escape, persistence across turns, local data access, or follow-on compromise. This issue has been fixed in version 3.0.0.
Title Cursor Desktop sandbox escape via Claude hook configuration
Weaknesses CWE-829
CWE-94
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Cursor Cursor
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-16T15:00:05.593Z

Reserved: 2026-05-20T18:46:58.291Z

Link: CVE-2026-48124

cve-icon Vulnrichment

Updated: 2026-06-16T14:59:57.552Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:13.927

Modified: 2026-06-16T15:49:33.737

Link: CVE-2026-48124

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T22:00:13Z

Weaknesses
  • CWE-829

    Inclusion of Functionality from Untrusted Control Sphere

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')