External risk intelligence

Cursor Code Editor Arbitrary File Write via Malicious Agent Symlink

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-50549

Cursor is a client-side code editor application installed on a user's workstation. The vulnerability exists within the local development environment and workspace file handling, not an internet-facing service or network-accessible appliance. It requires a developer to use the tool locally to process malicious inputs, making public internet exposure of this attack surface essentially non-existent.

Remote Code Execution

Anysphere Cursor

before 3.0

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This CVE concerns a vulnerability in Cursor, an AI-powered code editor. If exploited, a malicious agent within the editor could write arbitrary files outside the designated workspace, potentially leading to unauthorized code execution under the user's privileges without requiring further user interaction beyond an initial prompt. The issue is addressed in version 3.0 of the software.

  • Malicious code could write files anywhere on your system.
  • It allows unauthorized code execution without user consent.
  • Confirm relevance and review for local exposure.

Attack Path

How an attacker could exploit the issue

An attacker could leverage a specially crafted agent within the Cursor code editor to write arbitrary files outside the designated workspace. This occurs when the agent's path canonicalization fails, causing it to bypass security checks and write to unintended locations. If successful, this could allow an attacker to achieve non-sandboxed remote code execution by overwriting critical system files, such as the sandbox helper, leading to further compromise with no user interaction beyond a typical prompt.

  • Requires a malicious agent within the workspace.
  • Triggered by a path canonicalization failure.
  • Enables non-sandboxed remote code execution.

Live Threat

Current exploitation, exposure, and threat context

A malicious agent within Cursor could write arbitrary files outside the designated workspace, potentially leading to remote code execution. This occurs when the agent fails to properly canonicalize a target path, allowing it to write to locations beyond its intended scope.

  • Arbitrary file writes outside the workspace.
  • Malicious agent bypasses path canonicalization.
  • Remote code execution under user privileges.

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners and infrastructure teams are likely responsible for addressing this vulnerability in the Cursor code editor. The first practical step is to identify all instances of Cursor, determine if they are business-critical, and locate the accountable owner for remediation planning.

  • Application owners should own the issue.
  • Verify Cursor installation and usage scope.
  • Plan for upgrade or configuration review.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Cursor and how does it use AI?

Cursor is a specialized code editor designed for developers that integrates AI agents directly into the programming workflow. These agents act as assistants, capable of executing terminal commands and modifying files within a defined development workspace to help write and refactor code. It is built as a client-side desktop application, meaning it runs locally on a developer's workstation rather than as a hosted web service.

What is the vulnerability in CVE-2026-50549?

This vulnerability is an instance of Improper Link Resolution Before File Access (CWE-59). The editor's AI agent uses path canonicalization to ensure file operations stay confined to the workspace. However, the software has a logic flaw where it falls back to an unvalidated path if canonicalization fails. An attacker can force this failure using symlinks, allowing the agent to write files to arbitrary locations on the host system without requesting user approval.

How is this file write vulnerability triggered?

The attack requires an AI agent to process a malicious file path within the workspace. By creating a symlink that points outside the workspace and ensuring the target path is inaccessible or nonexistent, an attacker triggers a canonicalization failure. This does not trigger if the agent successfully validates the path or if no symlinks are present. Once the bypass occurs, the agent gains the ability to write files outside of its sandboxed environment using the user's local privileges.

Is my Cursor installation at risk from the internet?

According to Halo Surface Signal, this vulnerability is very unlikely to be exposed via the internet. Because Cursor is a client-side application, the attack surface is restricted to the local development environment. It cannot be triggered by remote network requests targeting an appliance or server. The primary risk exists when a developer works with untrusted code or agents within their local machine's workspace.

How do I secure my environment against this flaw?

The primary response is to update your Cursor installation to version 3.0 or later, which contains the fix for this path validation issue. If you cannot update immediately, ensure you only run AI agents or code from trusted sources within your workspace. As a first step, verify your current application version and establish a plan to migrate your development environment to the patched software version.

References