CVE-2026-50549
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk40th percentile — higher than 40% of all known CVEs
Summary
Vulnerability in Cursor before version 3.0 allows a malicious agent to write files outside the workspace without user approval. The agent uses an in-workspace symlink pointing outside and forces path canonicalization to fail, resulting in writing to an arbitrary location. This enables non-sandboxed remote code execution, e.g., by overwriting the sandbox helper.
Risk Assessment
The risk is remote code execution with user privileges without user interaction beyond a benign prompt. An attacker could gain control of the system by installing malware or modifying critical files.
Recommendation
Immediately update Cursor to version 3.0 or later, which contains the fix for this vulnerability.
Original NVD description (English source)
Cursor is a code editor built for programming with AI. Prior to 3.0, Cursor runs agent terminal commands in a sandbox by default. Before a Write, the agent canonicalizes the target path to confirm it stays inside the workspace, but when canonicalization fails it falls back to the original path and writes without approval. A malicious agent can create an in-workspace symlink that points outside the workspace and force canonicalization to fail — either because the target does not exist or because read permission is removed from the path — so the agent writes through the symlink to an arbitrary location without approval. A malicious agent could write arbitrary files outside the workspace under the user's privileges. This enables non-sandboxed Remote Code Execution — for example by overwriting the cursorsandbox helper so later commands run unsandboxed — with no user interaction beyond a benign prompt. This vulnerability is fixed in 3.0.

