How is CVE-2026-48124 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host, or the ability to place a malicious workspace file on the local filesystem; no network access to the target is required. Authentication (not-required): No account credentials or prior authentication are needed; placing or influencing a workspace-level settings file is sufficient to trigger hook execution. Victim interaction (required): The victim must open the malicious workspace in Cursor Desktop and allow an agent turn to complete, which triggers hook execution without a separate approval prompt. Attack complexity (info): Exploitation is reliable and condition-free once the malicious settings file is in place; no race conditions or special memory layout requirements apply.

What is the impact of CVE-2026-48124?

Reads arbitrary local files accessible to the user's process context, including source code, credentials, and SSH keys. Writes or modifies files on the local filesystem, enabling persistence mechanisms that survive across agent sessions. Executes follow-on commands in the user's context, allowing lateral movement or installation of additional payloads. Crashes or disrupts the local development environment by terminating processes or corrupting workspace state.

Back to search

HIGHCVE-2026-48124Published 2026-06-15Modified 2026-06-15CNA GitHub_M

CVE-2026-48124: Cursor Desktop sandbox escape via Claude hook configuration

Cursor is a code editor built for programming with AI. In versions prior to 3.0.0, the Cursor Desktop could execute workspace-defined Claude hook commands from .claude/settings.local.json without dedicated user approval. A malicious workspace or agent-created file could configure hooks that run local commands in the user's context when an agent turn ends. This could allow sandbox escape, persistence across turns, local data access, or follow-on compromise. This issue has been fixed in version 3.0.0.

CVSS v4.0: 8.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a sandbox-escape vulnerability in the Cursor Desktop code editor (versions prior to 3.0.0). The editor executed workspace-defined Claude hook commands from a local settings file without requiring dedicated user approval, meaning a malicious or agent-created workspace file could silently configure hooks that run arbitrary local commands in the user's context when an AI agent turn ends. Successful exploitation gives an attacker the ability to read local files, persist across agent sessions, and pivot to further compromise of the host system. HarborGuard tracks this advisory for patch availability, as no fix version has been published to package repositories at this time.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images containing the affected Cursor Desktop package, including custom-built images that bundle Cursor as part of a developer toolchain container.

Available

Triage

HarborGuard scores this finding at CVSS 8.5 HIGH and weights it against each environment's compliance policy, surfacing it to the appropriate team inbox within the customer org based on image ownership and criticality tier.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available immediately once a fix version appears in the upstream package feed. In the interim, customers receive the advisory detail needed to apply compensating controls manually.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host, or the ability to place a malicious workspace file on the local filesystem; no network access to the target is required.
AuthenticationNot required
No account credentials or prior authentication are needed; placing or influencing a workspace-level settings file is sufficient to trigger hook execution.
Victim interactionRequired
The victim must open the malicious workspace in Cursor Desktop and allow an agent turn to complete, which triggers hook execution without a separate approval prompt.
Attack complexityDetail
Exploitation is reliable and condition-free once the malicious settings file is in place; no race conditions or special memory layout requirements apply.

Blast Radius

Reads arbitrary local files accessible to the user's process context, including source code, credentials, and SSH keys.
Writes or modifies files on the local filesystem, enabling persistence mechanisms that survive across agent sessions.
Executes follow-on commands in the user's context, allowing lateral movement or installation of additional payloads.
Crashes or disrupts the local development environment by terminating processes or corrupting workspace state.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix version has been published for this CVE, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment a remediated package version appears. Until then, customers can use HarborGuard policy controls to flag any image containing Cursor Desktop below version 3.0.0 as non-compliant, blocking it from deployment pipelines. As compensating controls, teams are advised to avoid bundling Cursor Desktop in shared or multi-tenant container images, restrict filesystem mounts that expose .claude/settings.local.json paths, and audit CI pipelines for agent-generated workspace files before image build steps. Customers with auto-remediation enabled will receive a rebuild, regression-test run, and a PR opened against affected workloads as soon as a fix version is available upstream.

See how HarborGuard automates this

Affected packages

cursor / cursor
< 3.0.0

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

https://github.com/cursor/cursor/security/advisories/GHSA-pc9j-3qc2-95wv

Metrics

Get notified