External risk intelligence

Cursor Code Editor Sandbox Escape RCE Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-50548

This vulnerability affects a desktop code editor application running on a user's local machine. It requires the user to execute agent commands within the local environment, making it a client-side tool rather than a public-facing network service or internet-exposed gateway.

Path Traversal

Anysphere Cursor

before 3.0

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory addresses a critical security flaw in Cursor, a code editor that integrates AI features. A vulnerability exists where a malicious agent within the editor could manipulate its sandboxing mechanism to execute arbitrary code on the user's machine without requiring any user interaction beyond a standard prompt. This could allow an attacker to gain control of the user's system, bypassing intended security measures.

  • Code editor can be tricked into running dangerous commands.
  • It allows remote code execution with no user interaction.
  • Confirm if Cursor is used and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by tricking a user into running a malicious agent command within the Cursor code editor. This command, by manipulating a parameter, could trick the editor's sandbox into allowing arbitrary file writes outside the intended workspace, ultimately enabling the attacker to execute code on the user's system without further interaction.

  • Requires a user to run agent commands.
  • Malicious agent modifies working directory.
  • Leads to unsandboxed remote code execution.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, a malicious agent within Cursor could manipulate the sandbox to write arbitrary files outside the intended workspace. This could lead to the execution of non-sandboxed commands with the user's privileges, potentially enabling remote code execution without further user interaction beyond an initial prompt.

  • User-controlled code execution.
  • Arbitrary file writes outside workspace.
  • Unsandboxed command execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts users of the Cursor code editor, specifically concerning how agent terminal commands are handled. The first practical step is for users to identify their Cursor installation, confirm its reachability and business criticality, and then coordinate with the application or platform owner to plan for the update to version 3.0 or later.

  • Cursor application and platform owners.
  • Verify Cursor installation and version.
  • Update to Cursor version 3.0 or later.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Cursor?

Cursor is a specialized code editor designed for AI-assisted programming. It features an integrated agent that can execute terminal commands within a sandbox environment to help users build and manage software. By default, this sandbox is intended to restrict the agent's operations to a specific working directory, ensuring that code execution and file modifications remain contained within the user's project space.

What does CWE-22 mean for CVE-2026-50548?

This vulnerability is classified as CWE-22, or Path Traversal. In this context, the editor's sandbox fails to properly validate the 'working_directory' parameter. Instead of being restricted to the intended project folder, an attacker can manipulate this parameter to point to sensitive areas of the file system. This allows the agent to write files or execute commands in locations it should not have access to, effectively breaking out of the security boundary.

How is this vulnerability triggered?

The flaw is triggered when a user executes an agent command that has been maliciously crafted to manipulate the 'working_directory' parameter. It does not trigger during standard, non-malicious coding tasks where the agent operates within its defined workspace. The vulnerability requires the execution of an agent command, but once initiated, it can lead to unauthorized file writes and code execution without further user intervention.

Is my system at risk?

According to Halo Surface Signal, this vulnerability is very unlikely to be exploited over the network because Cursor is a client-side desktop application, not an internet-facing service. The primary risk is local; an attacker would need to trick a user into running a malicious agent command within the editor. While not a remote server attack, anyone using Cursor versions prior to 3.0 on a machine that handles sensitive data should consider this a priority.

How do I fix CVE-2026-50548?

The practical response is to update your Cursor installation immediately. The vulnerability is resolved in version 3.0 and all subsequent releases. You should verify your current version within the application and coordinate an update to 3.0 or later to ensure the sandboxing mechanism is properly secured against path manipulation.

References