Critical Cursor Sandbox Escape Flaws Enable Unauthenticated Command Execution
Two prompt injection vulnerabilities in Cursor AI editor allow attackers to bypass sandbox restrictions and execute arbitrary commands on developer machines via zero-click attack vector.
Attack Brief
TargetCursor (AI code editor)VectorPrompt injection leading to sandbox escape and remote code executionAttributionresearcher disclosure
Technical Details
CVE IDsCVE-2026-50548CVE-2026-50549MITRE ATT&CKT1059T1190AffectedCursor versions before 3.0; patched in Cursor 3.0 (released April 2, 2026)
Impact
Affected OrganisationsMore than half of Fortune 500 companies reported using CursorConfirmed DamageNo known active exploitation as of publication
Mitigation
PatchesCursor 3.0 and laterDetectionCVE-2026-50548 exploits working_directory parameter in run_terminal_cmd tool to write to system files (/Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox on macOS, startup files like ~/.zshrc). CVE-2026-50549 exploits symlink resolution fallback to bypass path validation checks and write outside project boundaries.
Context
Similar AttacksPrompt injection via Model Context Protocol (MCP) servers and web search results; zero-click attack requiring no user interaction or approval