Description
Cursor is a code editor built for programming with AI. Prior to 3.0, Cursor runs agent terminal commands in a sandbox by default, and the sandbox grants write access to the command's working directory. A flaw was identified in how the agent could modify the working_directory parameter, which could cause the sandbox to include writable paths outside the intended workspace. A malicious agent could set working_directory to a sensitive location and write arbitrary files outside the workspace under the user's privileges. This enables non-sandboxed Remote Code Execution — for example by overwriting the cursorsandbox helper so later commands run unsandboxed — with no user interaction beyond a benign prompt. This vulnerability is fixed in 3.0.
Published: 2026-06-25
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cursor runs agent terminal commands in a sandbox that grants write access to the command's working directory. A flaw in handling the working_directory parameter allows an agent to set it to any writable location, thereby extending the sandbox beyond the intended workspace. This permits a malicious agent to write files outside the workspace, including overwriting the cursorsandbox helper, which results in subsequent commands running unsandboxed under the user’s privileges. The result is the ability to execute arbitrary code without further user interaction beyond a normal prompt.

Affected Systems

Cursor versions earlier than 3. The problem is present in all builds of Cursor prior to the release that fixed the issue in version 3.0.

Risk and Exploitability

With a CVSS score of 9.3, this vulnerability is considered critical. No EPSS data is available, and the flaw is not listed in CISA’s KEV catalog. The likely attack vector involves a compromised or malicious Agent that sets a harmful working_directory; no user authentication or interaction is required beyond the initial benign prompt. Once exploited, the attacker gains remote execution rights with the user’s privileges.

Generated by OpenCVE AI on June 25, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cursor to version 3.0 or later where the sandbox correctly limits writable paths
  • Restrict the permission scope of agent processes and ensure that agents only run within safe, pre‑approved directories
  • Validate and sanitize the working_directory value supplied to agent commands, rejecting any paths that traverse outside the intended workspace

Generated by OpenCVE AI on June 25, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Cursor
Cursor cursor
Vendors & Products Cursor
Cursor cursor

Thu, 25 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Cursor is a code editor built for programming with AI. Prior to 3.0, Cursor runs agent terminal commands in a sandbox by default, and the sandbox grants write access to the command's working directory. A flaw was identified in how the agent could modify the working_directory parameter, which could cause the sandbox to include writable paths outside the intended workspace. A malicious agent could set working_directory to a sensitive location and write arbitrary files outside the workspace under the user's privileges. This enables non-sandboxed Remote Code Execution — for example by overwriting the cursorsandbox helper so later commands run unsandboxed — with no user interaction beyond a benign prompt. This vulnerability is fixed in 3.0.
Title Cursor Desktop sandbox escape via agent-controlled working directory
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Cursor Cursor
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T19:02:54.556Z

Reserved: 2026-06-04T20:37:18.653Z

Link: CVE-2026-50548

cve-icon Vulnrichment

Updated: 2026-06-25T19:02:48.667Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T01:45:16Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')