Skip to content
Security & Trust

Cursor AI Editor: Two CVSS 9.8 Sandbox Escapes Let a Malicious Agent Write Anywhere on Disk

CVE-2026-50548 and CVE-2026-50549: working directory manipulation and symlink canonicalization bypass in Cursor pre-3.0. The AI coding tool that developers trust with filesystem access had no real sandbox.

· 5 min read
Share on X LinkedIn
Cursor AI Editor: Two CVSS 9.8 Sandbox Escapes Let a Malicious Agent Write Anywhere on Disk

Two Escapes, One Premise

Cursor, the AI-powered code editor used by hundreds of thousands of developers, shipped with a sandbox that wasn't one. Two independently discovered vulnerabilities — both scoring CVSS 9.8 — allowed a malicious AI agent to escape workspace boundaries and write arbitrary files anywhere on disk.

CVE-2026-50548 exploits working directory manipulation. The sandbox validates file paths relative to the declared workspace, but an agent can manipulate the working directory context to make paths resolve outside the boundary. CVE-2026-50549 takes a different route: symlink-based canonicalization bypass. Create a symlink inside the workspace that points outside it, and the sandbox's path validation follows the logical path while the OS follows the physical one.

9.8 Critical
CVSS score (both CVEs)
Pre-authentication, network-exploitable, high impact to confidentiality, integrity, and availability.
Cursor < 3.0
Affected versions
Both vulnerabilities patched in Cursor 3.0.
Malicious AI agent response
Attack vector
No user interaction required beyond accepting an agent suggestion.

The Trust Inversion

Developers grant AI coding tools something they'd never give a random npm package: direct filesystem write access. The entire value proposition of Cursor, Windsurf, and similar tools is that the AI can read your code, understand context, and write changes. The sandbox is the single control that prevents 'write changes' from becoming 'write anything.'

When that sandbox is a path-string comparison rather than an OS-level isolation boundary, you get CVE-2026-50548 and CVE-2026-50549. The AI agent doesn't need elevated privileges. It doesn't need a kernel exploit. It needs a relative path and a symlink.

AI Is the Risk Multiplier

This is not a theoretical attack. Prompt injection via malicious repositories is documented. A developer clones a repo containing a crafted .cursorrules file or a README with hidden instructions. The AI agent follows those instructions, which now include writing to ~/.ssh/authorized_keys or ~/.bashrc. The sandbox was supposed to prevent exactly this. It didn't.

The pattern is clear: every AI tool that gains filesystem access becomes an attack surface proportional to the trust developers place in it. Cursor joins Claude Code (CVE-2026-46406), Gemini CLI (CVSS 10.0), and Copilot in the growing list of AI development tools with critical sandbox or execution boundary failures in 2026.

What This Means

Update to Cursor 3.0 immediately. Audit any projects where Cursor agents had extended autonomy. The fix is in place, but the architectural question remains: should AI coding tools use path-string validation for sandboxing, or does this class of tool require OS-level containment — containers, VMs, or seccomp profiles? The answer, after two 9.8s in one disclosure, seems obvious.

CVEs in this analysis
CVE-2026-50549 CVE-2026-46406 CVE-2026-50548
Share this insight
More insights
Security & Trust

WordPress Invoice Generator: Unauthenticated Visitors Can Become Admin. CVSS 9.8. No Exploit Kit Required.

June 28, 2026 · 4 min
Read insight
Security & Trust

Node.js TLS Hostname Bypass: NVD Says CVSS 9.8. HackerOne Says 5.6. Every Framework Built on Node Is Caught in the Middle.

June 28, 2026 · 6 min
Read insight
Security & Trust

Nezha Monitoring: Pre-Auth Config Leak + Cross-Tenant Terminal Hijack. The Observability Pattern Continues.

June 28, 2026 · 5 min
Read insight