CVE Catalog

CVE-2026-50549

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.52%

40th percentile — higher than 40% of all known CVEs

Summary

Vulnerability in Cursor before version 3.0 allows a malicious agent to write files outside the workspace without user approval. The agent uses an in-workspace symlink pointing outside and forces path canonicalization to fail, resulting in writing to an arbitrary location. This enables non-sandboxed remote code execution, e.g., by overwriting the sandbox helper.

Risk Assessment

The risk is remote code execution with user privileges without user interaction beyond a benign prompt. An attacker could gain control of the system by installing malware or modifying critical files.

Recommendation

Immediately update Cursor to version 3.0 or later, which contains the fix for this vulnerability.

Original NVD description (English source)

Cursor is a code editor built for programming with AI. Prior to 3.0, Cursor runs agent terminal commands in a sandbox by default. Before a Write, the agent canonicalizes the target path to confirm it stays inside the workspace, but when canonicalization fails it falls back to the original path and writes without approval. A malicious agent can create an in-workspace symlink that points outside the workspace and force canonicalization to fail — either because the target does not exist or because read permission is removed from the path — so the agent writes through the symlink to an arbitrary location without approval. A malicious agent could write arbitrary files outside the workspace under the user's privileges. This enables non-sandboxed Remote Code Execution — for example by overwriting the cursorsandbox helper so later commands run unsandboxed — with no user interaction beyond a benign prompt. This vulnerability is fixed in 3.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS