
RESEARCHERS have disclosed two critical vulnerabilities in the Cursor AI‑powered IDE that let attackers break out of its sandbox and execute arbitrary code on the host system. The flaws affect users across industries, including many Fortune 500 companies that rely on the editor for daily development work.
The flaws, tracked as CVE‑2026‑50548 and CVE‑2026‑50549, were rated at CVSS 9.3 by SecurityOnline and at CVSS 9.8 by SecurityWeek, reflecting a significant risk of remote code execution. The first vulnerability stems from a non‑default _working_directory parameter that can be manipulated to bypass the IDE’s sandbox boundaries.
The second flaw involves improper handling of symbolic links, which allows an attacker to create symlinks that mislead Cursor’s path resolution. By chaining these tricks, an attacker can execute arbitrary commands with the same privileges as the IDE process, effectively escaping the sandbox.
Security researchers reported the issues in February and the vendor issued fixes in Cursor 3.0, which was released in April. To date, there are no confirmed cases of active exploitation in the wild, though the presence of proof‑of‑concept code means administrators should remain vigilant.
Users should update to the latest Cursor version as soon as possible to apply the security patches. Disabling automatic terminal execution within the IDE reduces the chance that a malicious project can trigger unintended commands. Additionally, reviewing workspaces for unexpected symbolic links and restricting IDE permissions to only necessary directories can further limit exposure.
Enterprises should consider enforcing application‑level controls that prevent the IDE from spawning processes outside approved directories. Keeping an eye on vendor advisories and subscribing to security mailing lists will help defenders stay ahead of any future issues.