HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-50548Published Modified CNA GitHub_M

CVE-2026-50548: Cursor Desktop sandbox escape via agent-controlled working directory

Cursor is a code editor built for programming with AI. Prior to 3.0, Cursor runs agent terminal commands in a sandbox by default, and the sandbox grants write access to the command's working directory. A flaw was identified in how the agent could modify the working_directory parameter, which could cause the sandbox to include writable paths outside the intended workspace. A malicious agent could set working_directory to a sensitive location and write arbitrary files outside the workspace under the user's privileges. This enables non-sandboxed Remote Code Execution — for example by overwriting the cursorsandbox helper so later commands run unsandboxed — with no user interaction beyond a benign prompt. This vulnerability is fixed in 3.0.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a sandbox-escape vulnerability in Cursor Desktop, the AI-assisted code editor. The flaw allows a malicious AI agent to manipulate the working_directory parameter passed to the sandbox, tricking it into granting write access to paths outside the intended workspace. An attacker who can influence agent behavior can overwrite critical host binaries such as the cursorsandbox helper, achieving full unsandboxed remote code execution under the user's privileges with no interaction required beyond a normal-looking prompt. No fix version has been published yet; HarborGuard tracks this advisory for patch availability and will make a patched-image rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Cursor or its dependencies. Any image containing an affected version of cursor is flagged automatically in the registry scan and CI/CD pipeline checks.

Available
Triage

HarborGuard scores this finding at CVSS 9.3 Critical (v4.0) and weights it further against each customer environment's compliance policy to determine urgency and routing. The resulting alert is directed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no upstream fix has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version appears in the upstream feed. In the interim, customers with auto-remediation enabled are notified of affected workloads so compensating controls can be applied without delay.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable service is reachable over the network; an attacker must be able to deliver a crafted prompt or agent instruction to a running Cursor instance exposed to network-accessible input.

  • AuthenticationNot required

    No authentication is required; the attacker needs only to influence the content of an agent prompt, which requires no account or credential on the target system.

  • Victim interactionNot required

    No victim interaction beyond submitting a normal-looking prompt is needed; the entire exploit chain executes autonomously once the agent processes the malicious working_directory value.

  • Attack complexityDetail

    Attack complexity is low; the exploit is reliable and condition-free, requiring no race conditions, memory-layout knowledge, or other environmental factors.

Blast Radius

  • Attacker writes arbitrary files to any path the user has write access to on the host filesystem, including system-level directories.
  • Attacker overwrites the cursorsandbox helper binary, causing all subsequent agent terminal commands to run without sandbox restrictions.
  • With unsandboxed execution achieved, the attacker runs arbitrary code under the logged-in user's full privileges, including reading source code, credentials, SSH keys, and secrets stored on disk.
  • The attacker can establish persistence by modifying shell profiles, cron jobs, or other startup mechanisms accessible to the user.

How HarborGuard Handles This

Available on HarborGuard: any image containing cursor at a version below 3.0 is flagged as Critical the moment the advisory is ingested, typically within minutes of publication. Because no upstream fix exists yet, HarborGuard monitors the advisory on every ingest cycle and will trigger an automatic patched-image rebuild and, for customers with auto-remediation enabled, a regression-test run and a PR opened against affected workloads as soon as a fix version is published. While no patch is available, recommended compensating controls include applying network-policy rules to restrict which network sources can deliver prompts to Cursor agent sessions, preventing untrusted or externally-sourced prompt content from reaching agent processes, and disabling AI agent terminal execution features via feature flags if the editor supports them. Customers can use HarborGuard policy rules to block promotion of any image containing the affected cursor package to production registries until a patched rebuild is confirmed.

See how HarborGuard automates this
Affected packages
  • cursor / cursor
    < 3.0
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References