Description
Cursor is a code editor built for programming with AI. Prior to 3.0, Cursor runs agent terminal commands in a sandbox by default. Before a Write, the agent canonicalizes the target path to confirm it stays inside the workspace, but when canonicalization fails it falls back to the original path and writes without approval. A malicious agent can create an in-workspace symlink that points outside the workspace and force canonicalization to fail — either because the target does not exist or because read permission is removed from the path — so the agent writes through the symlink to an arbitrary location without approval. A malicious agent could write arbitrary files outside the workspace under the user's privileges. This enables non-sandboxed Remote Code Execution — for example by overwriting the cursorsandbox helper so later commands run unsandboxed — with no user interaction beyond a benign prompt. This vulnerability is fixed in 3.0.
Published: 2026-06-25
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cursor, a code editor that runs agent terminal commands in a default sandbox, fails to properly handle symbolic links when path canonicalization fails. When the agent attempts to write to a target path, it expects the path to resolve inside the user's workspace; if resolution fails, it falls back to the original, unvalidated path and proceeds with the write. A malicious agent can create a symlink within the workspace that points to an external location, trigger a canonicalization failure, and cause the agent to write through the link, creating or overwriting files anywhere the user has write access. This flaw allows an attacker to place arbitrary files under the user's privileges, including overwriting protected helpers, thereby enabling privileged Remote Code Execution without user interaction.

Affected Systems

Cursor:Cursor, any installation of Cursor prior to version 3.0 is affected. Versions 3.0 and later contain the fix.

Risk and Exploitability

The flaw carries a CVSS score of 9.3, indicating critical severity. The EPSS score is not available but the vulnerability is not yet catalogued in the CISA KEV list. Attackers can exploit the flaw from within the local environment or via a malicious agent plugin; no network-facing vector is required. Successful exploitation results in full code execution with user-level privileges, sufficient to compromise system integrity and confidentiality.

Generated by OpenCVE AI on June 25, 2026 at 20:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Cursor version 3.0 or later, which implements proper path canonicalization and eliminates the fallback behavior.
  • Audit any custom agent or extension scripts that interact with the sandbox and enforce strict checks that reject writes when canonicalization cannot resolve to a path inside the workspace—particularly ensure symbolic links are not allowed or are validated appropriately.
  • Implement monitoring to detect unexpected file creation or modification outside the designated workspace boundaries as an early warning of potential exploitation.

Generated by OpenCVE AI on June 25, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Cursor
Cursor cursor
Vendors & Products Cursor
Cursor cursor

Thu, 25 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Cursor is a code editor built for programming with AI. Prior to 3.0, Cursor runs agent terminal commands in a sandbox by default. Before a Write, the agent canonicalizes the target path to confirm it stays inside the workspace, but when canonicalization fails it falls back to the original path and writes without approval. A malicious agent can create an in-workspace symlink that points outside the workspace and force canonicalization to fail — either because the target does not exist or because read permission is removed from the path — so the agent writes through the symlink to an arbitrary location without approval. A malicious agent could write arbitrary files outside the workspace under the user's privileges. This enables non-sandboxed Remote Code Execution — for example by overwriting the cursorsandbox helper so later commands run unsandboxed — with no user interaction beyond a benign prompt. This vulnerability is fixed in 3.0.
Title Cursor Desktop sandbox escape via symlink and failed path canonicalization
Weaknesses CWE-59
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Cursor Cursor
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T19:02:41.108Z

Reserved: 2026-06-04T20:37:18.654Z

Link: CVE-2026-50549

cve-icon Vulnrichment

Updated: 2026-06-25T19:02:33.141Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T01:15:04Z

Weaknesses
  • CWE-59

    Improper Link Resolution Before File Access ('Link Following')