How is CVE-2026-50549 exploited?

Network reachability (required): The vulnerable service is reachable over the network, meaning an attacker can interact with the Cursor agent endpoint without requiring physical or local access to the host. Authentication (not-required): No credentials or prior account access are needed to trigger the vulnerable code path; the exploit requires only the ability to supply a malicious prompt to the agent. Victim interaction (not-required): No user action beyond submitting a benign-looking prompt is involved; the sandbox escape and subsequent file write happen automatically within the agent's execution flow. Attack complexity (info): Exploit conditions are reliable and free of race conditions or environmental prerequisites: creating an in-workspace symlink with a removed or missing target is a deterministic operation under normal filesystem permissions.

What is the impact of CVE-2026-50549?

The attacker writes arbitrary files on the host filesystem under the user's privileges, including outside the workspace directory. By overwriting the cursorsandbox helper binary, subsequent agent terminal commands execute without any sandbox restrictions. With unsandboxed execution established, the attacker runs arbitrary code as the logged-in user, gaining full access to secrets, credentials, and source code present on the machine. All three impact dimensions (confidentiality, integrity, availability) of the vulnerable component are fully compromised: stored files and tokens are readable, persistent data is modifiable, and processes or files can be corrupted or deleted.

Back to search

CRITICALCVE-2026-50549Published 2026-06-25Modified 2026-06-25CNA GitHub_M

CVE-2026-50549: Cursor Desktop sandbox escape via symlink and failed path canonicalization

Cursor is a code editor built for programming with AI. Prior to 3.0, Cursor runs agent terminal commands in a sandbox by default. Before a Write, the agent canonicalizes the target path to confirm it stays inside the workspace, but when canonicalization fails it falls back to the original path and writes without approval. A malicious agent can create an in-workspace symlink that points outside the workspace and force canonicalization to fail — either because the target does not exist or because read permission is removed from the path — so the agent writes through the symlink to an arbitrary location without approval. A malicious agent could write arbitrary files outside the workspace under the user's privileges. This enables non-sandboxed Remote Code Execution — for example by overwriting the cursorsandbox helper so later commands run unsandboxed — with no user interaction beyond a benign prompt. This vulnerability is fixed in 3.0.

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A sandbox-escape vulnerability exists in Cursor Desktop, the AI-assisted code editor, affecting all versions before 3.0. The flaw stems from a failed path canonicalization fallback: when the agent cannot resolve a symlink target, it writes to the original path without approval, allowing an attacker-controlled agent to write files outside the workspace entirely. Successful exploitation enables unsandboxed remote code execution under the user's privileges, with no interaction required beyond a normal prompt. No fix version has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-50549 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images and pipelines, including custom-built images that bundle the Cursor Desktop binary or any derived tooling layer.

Available

Triage

Triage capability is available with the full CVSS v4.0 score of 9.3 (Critical) applied automatically, weighted against each environment's compliance policy to surface severity-appropriate urgency; alerts are routed to the inbox configured for each customer organization's security or platform team.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released. In the interim, the advisory remains open in each environment's vulnerability queue so no affected image silently ages out of review.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable service is reachable over the network, meaning an attacker can interact with the Cursor agent endpoint without requiring physical or local access to the host.
AuthenticationNot required
No credentials or prior account access are needed to trigger the vulnerable code path; the exploit requires only the ability to supply a malicious prompt to the agent.
Victim interactionNot required
No user action beyond submitting a benign-looking prompt is involved; the sandbox escape and subsequent file write happen automatically within the agent's execution flow.
Attack complexityDetail
Exploit conditions are reliable and free of race conditions or environmental prerequisites: creating an in-workspace symlink with a removed or missing target is a deterministic operation under normal filesystem permissions.

Blast Radius

The attacker writes arbitrary files on the host filesystem under the user's privileges, including outside the workspace directory.
By overwriting the cursorsandbox helper binary, subsequent agent terminal commands execute without any sandbox restrictions.
With unsandboxed execution established, the attacker runs arbitrary code as the logged-in user, gaining full access to secrets, credentials, and source code present on the machine.
All three impact dimensions (confidentiality, integrity, availability) of the vulnerable component are fully compromised: stored files and tokens are readable, persistent data is modifiable, and processes or files can be corrupted or deleted.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-50549 as of publication, the advisory is held open and re-evaluated on every ingest cycle so affected images remain visible in each environment's queue without manual follow-up. Where compliance policy supports it, compensating controls can be applied at the image layer: network-policy isolation to restrict which agent endpoints can receive untrusted input, egress filtering to limit what the Cursor process can reach after a potential escape, and feature-flag or entrypoint gating to disable agent terminal execution entirely in environments where that capability is not required. The moment an upstream patch is published at version 3.0 or later, a patched-image rebuild becomes available on HarborGuard, and for customers with auto-remediation enabled, the flow includes a rebuild, a regression-test run, and a PR opened against affected workloads automatically.

See how HarborGuard automates this

Affected packages

cursor / cursor
< 3.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

https://github.com/cursor/cursor/security/advisories/GHSA-3v8f-48vw-3mjx

Metrics

Get notified