Cursor Desktop sandbox escape via agent-controlled working_directory
CVE-2026-50548 is a critical sandbox escape vulnerability in Cursor Desktop affecting versions prior to 3.0. Cursor runs agent terminal commands in a sandbox by default and grants write access to the command's working directory. The flaw arises because the agent can control the optional working_directory parameter of the run_terminal_cmd tool, and insufficient restriction of that parameter can cause the sandbox to treat attacker-chosen paths outside the intended workspace as writable. Through prompt-injected or otherwise malicious agent behavior, working_directory can be set to a sensitive location outside the project root, allowing arbitrary file writes under the user's privileges. This can be leveraged to overwrite files such as the cursorsandbox helper so that subsequent terminal commands execute outside the sandbox, resulting in non-sandboxed remote code execution.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A critical remote code execution vulnerability in Cursor IDE caused by unsafe handling of the LLM-controlled working_directory parameter, allowing out-of-bounds writes and sandbox escape that can lead to unsandboxed RCE.
A critical Cursor sandbox escape vulnerability in which the AI agent can abuse the working_directory parameter of run_terminal_cmd to gain write access outside the project and overwrite files such as the sandbox helper, disabling the sandbox and enabling arbitrary command execution.
A critical remote code execution vulnerability in Cursor IDE, disclosed as part of the DuneSlide research, where zero-click prompt injection through untrusted content ingestion can lead toward sandbox escape, arbitrary file write, and unsandboxed remote code execution.
A critical sandbox escape in Cursor Desktop that allows an agent to manipulate the working_directory parameter to gain write access outside the intended workspace, enabling arbitrary file writes and potentially non-sandboxed remote code execution under the user's privileges.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.