Critical Cursor IDE bugs allow OS-level remote code execution
Two critical flaws in Cursor’s AI code editor (CVE-2026-50548, CVE-2026-50549) can enable OS-level remote code execution by abusing automatic terminal commands and path resolution, Cato Networks reported.
Two critical vulnerabilities in the Cursor AI code editor could let an attacker execute code on the underlying operating system by escaping the editor’s sandbox, Cato Networks reported. The defects are tracked as CVE-2026-50548 and CVE-2026-50549, carry a CVSS score of 9.8, and are referred to by the researcher name DuneSlide.
The first flaw concerns how Cursor handles the sandbox working directory. When the working_directory parameter is set to a non-default path, Cursor adds that path to an allow list intended to limit terminal commands to the project folder. An attacker who can supply a malicious prompt-for example via an injected request to a service the editor reads-can instruct the agent to change the working directory to a path outside the project. That path can then be used to overwrite the cursorsandbox executable. “Future commands run without sandbox restrictions, so future instructions within the same prompt injection lead to a non-sandboxed RCE,” Cato wrote.
The second flaw involves path canonicalization and symbolic links. An attacker can prompt the agent to create a symlink inside the project that points to a file outside the project. Cursor attempts to resolve the symlink to verify the target is inside the project but in some edge cases it falls back to using the original symlink path. By creating a write-only symlink, an attacker can force Cursor to treat the symlink path as the resolved path and bypass checks, allowing writes to files such as the cursorsandbox executable.
Both issues exploit Cursor’s automatic execution of terminal commands inside the sandbox, a behavior that does not require user approval. Cato described scenarios where a developer request to ingest external content serves as the trigger for a prompt injection that supplies the malicious instructions the agent then executes.
Cato reported the vulnerabilities to Cursor in February. Cursor released fixes for both defects in Cursor 3.0 on April 2, and the CVE identifiers were assigned in early June. The vendor’s patches change how working directories are validated and how symlinks and canonical paths are resolved to prevent out-of-bounds writes and to keep terminal commands restricted to project scopes.
Cursor is an AI-assisted code editor that runs local sandboxed processes to execute developer commands. Users are advised to update to Cursor 3.0. Until they can install the patched release, developers may disable automatic terminal execution and limit ingestion of external content to reduce exposure.




