Critical Cursor AI Code Editor Flaws Could Lead to OS-Level Remote Code Execution

Cursor AI Code Editor Flaws Expose Users to OS-Level Remote Code Execution

A pair of critical vulnerabilities in Cursor, a popular artificial intelligence code editor, has been discovered by security researchers at Cato Networks. The flaws, designated as CVE-2026-50548 and CVE-2026-50549, have a CVSS score of 9.8, indicating a high risk of exploitation. These issues could allow attackers to execute malicious code on the underlying operating system, potentially leading to widespread damage.

Cursor’s AI-powered features enable developers to collaborate and share code snippets seamlessly. However, its automatic terminal command execution feature has been found to be vulnerable to abuse. When an attacker injects a payload into the editor, Cursor executes it within its sandbox environment without prompting the user for approval. This allows the threat actor to bypass security boundaries and gain control of the system.

The first vulnerability is related to the way Cursor handles working directories. By assigning a non-default value to the working_directory parameter, an attacker can inject a prompt that instructs the Large Language Model (LLM) to set the working directory to an attacker-supplied path outside the project scope. This enables the attacker to overwrite the cursorsandbox executable, effectively removing the sandbox restrictions and allowing future commands to execute without restriction.

The second flaw affects the IDE’s file path resolution edge cases. An attacker can craft a prompt that instructs Cursor to create within the project directory a symbolic link pointing to an outside file. The agent’s flawed path canonicalization logic allows it to fall back to using the original symlink path, which is write-only and controlled by the attacker.

These vulnerabilities were reported to Cursor in February and patches were included in Cursor 3.0, released on April 2. However, since then, there have been reports of exploitation attempts. The fact that these flaws are independent of each other makes them even more concerning, as they can be exploited simultaneously to achieve maximum impact.

The discovery of these vulnerabilities highlights the importance of regular software updates and patching. It also underscores the need for developers to prioritize security when creating AI-powered tools like Cursor. As AI-driven development becomes increasingly prevalent, so too will the risks associated with it. Developers must take proactive steps to ensure their tools are secure and can withstand potential attacks.

To avoid falling victim to these types of vulnerabilities, users should ensure they are running the latest version of Cursor and keep their system software up-to-date. Regularly monitoring system logs for suspicious activity is also crucial in detecting potential exploitation attempts. Moreover, developers should prioritize security testing and penetration testing as part of their AI-powered tool development process to identify and address potential vulnerabilities before they can be exploited by attackers.


Source: SecurityWeek — 2026-07-03