Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Unrated

Cursor Desktop sandbox escape via agent-controlled working_directory

IdentifiersCVE-2026-50548CWE-73

CVE-2026-50548 is a critical sandbox escape vulnerability in Cursor Desktop affecting versions prior to 3.0. Cursor runs agent terminal commands in a sandbox by default and grants write access to the command's working directory. The flaw arises because the agent can control the optional working_directory parameter of the run_terminal_cmd tool, and insufficient restriction of that parameter can cause the sandbox to treat attacker-chosen paths outside the intended workspace as writable. Through prompt-injected or otherwise malicious agent behavior, working_directory can be set to a sensitive location outside the project root, allowing arbitrary file writes under the user's privileges. This can be leveraged to overwrite files such as the cursorsandbox helper so that subsequent terminal commands execute outside the sandbox, resulting in non-sandboxed remote code execution.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary file write outside the intended workspace with the privileges of the logged-in user. This can be used to escape Cursor's terminal sandbox and convert later agent-executed commands into unsandboxed execution. The resulting impact includes full compromise of the developer's local environment within the user's privilege boundary, modification of startup or helper files for persistence or execution control, and potential downstream access to data, credentials, or connected cloud/SaaS workspaces available from that user context. Confidentiality, integrity, and availability impacts are all high according to the provided CVSS details.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, reduce or disable exposure of the agent to untrusted content sources such as MCP-connected services and web search results, and restrict or disable autonomous terminal command execution where feasible. Limit the agent's ability to influence execution context parameters such as working_directory, and monitor for unexpected writes to sensitive paths including the Cursor sandbox helper, shell startup files, and launch/persistence locations. These are interim mitigations only; the authoritative fix is upgrading to 3.0 or later.

Remediation

Patch, then assume compromise.

Upgrade Cursor to version 3.0 or later, which fixes the vulnerability. The fix should ensure that agent-controlled working_directory values cannot expand sandbox write permissions outside the intended workspace and that terminal commands execute only within a properly constrained sandbox boundary.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

cyber security newsNews
Jul 1, 2026
Critical Cursor IDE RCE Vulnerabilities Enable Prompt Injection in Zero-Click - Cyber Security News

A critical remote code execution vulnerability in Cursor IDE caused by unsafe handling of the LLM-controlled working_directory parameter, allowing out-of-bounds writes and sandbox escape that can lead to unsandboxed RCE.

Read more
the hacker newsNews
Jul 1, 2026
Critical Cursor Flaws Could Let Prompt Injection Escape Sandbox and Run Commands

A critical Cursor sandbox escape vulnerability in which the AI agent can abuse the working_directory parameter of run_terminal_cmd to gain write access outside the project and overwrite files such as the sandbox helper, disabling the sandbox and enabling arbitrary command execution.

Read more
reddit netsecNews
Jul 1, 2026
Zero-Click Prompt Injection to RCE in Cursor IDE: DuneSlide : r/netsec

A critical remote code execution vulnerability in Cursor IDE, disclosed as part of the DuneSlide research, where zero-click prompt injection through untrusted content ingestion can lead toward sandbox escape, arbitrary file write, and unsandboxed remote code execution.

Read more
cvefeed high severityNews
Jun 25, 2026
CVE-2026-50548 - Cursor Desktop sandbox escape via agent-controlled working directory

A critical sandbox escape in Cursor Desktop that allows an agent to manipulate the working_directory parameter to gain write access outside the intended workspace, enabling arbitrary file writes and potentially non-sandboxed remote code execution under the user's privileges.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity7

Community discussion across Reddit, Mastodon, and other social sources.