{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-48124: Cursor Desktop sandbox escape via Claude hook configuration","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-48124","status":"final","version":"1","initial_release_date":"2026-06-15T19:56:07.573Z","current_release_date":"2026-06-15T19:56:07.573Z","revision_history":[{"date":"2026-06-15T19:56:07.573Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"Cursor is a code editor built for programming with AI. In versions prior to 3.0.0, the Cursor Desktop could execute workspace-defined Claude hook commands from .claude/settings.local.json without dedicated user approval. A malicious workspace or agent-created file could configure hooks that run local commands in the user's context when an agent turn ends. This could allow sandbox escape, persistence across turns, local data access, or follow-on compromise. This issue has been fixed in version 3.0.0.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-48124 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-48124"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-48124"},{"category":"external","summary":"https://github.com/cursor/cursor/security/advisories/GHSA-pc9j-3qc2-95wv","url":"https://github.com/cursor/cursor/security/advisories/GHSA-pc9j-3qc2-95wv"}]},"product_tree":{"branches":[{"category":"vendor","name":"cursor","branches":[{"category":"product_name","name":"cursor","branches":[{"category":"product_version","name":"< 3.0.0","product":{"name":"cursor cursor < 3.0.0","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:cursor:cursor:\\<_3.0.0:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-48124","title":"Cursor Desktop sandbox escape via Claude hook configuration","notes":[{"category":"description","text":"Cursor is a code editor built for programming with AI. In versions prior to 3.0.0, the Cursor Desktop could execute workspace-defined Claude hook commands from .claude/settings.local.json without dedicated user approval. A malicious workspace or agent-created file could configure hooks that run local commands in the user's context when an agent turn ends. This could allow sandbox escape, persistence across turns, local data access, or follow-on compromise. This issue has been fixed in version 3.0.0.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"]},"scores":[{"cvss_v4":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","baseScore":8.5,"baseSeverity":"HIGH"},"products":["CSAFPID-1"]}],"remediations":[{"category":"none_available","details":"No fixed version is published yet. Monitor the upstream advisory.","product_ids":["CSAFPID-1"]}]}]}