Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Unrated

Cursor Desktop sandbox escape via symlink canonicalization bypass

IdentifiersCVE-2026-50549CWE-59

CVE-2026-50549 is a critical sandbox escape vulnerability in Cursor Desktop affecting versions prior to 3.0. Cursor runs agent terminal commands in a sandbox by default and, before allowing an agent-initiated write, canonicalizes the destination path to verify that the real target remains داخل the workspace. The flaw is in the fallback behavior: when canonicalization fails, Cursor falls back to the original, unvalidated path and proceeds with the write without approval. A malicious agent can exploit this by creating a symlink inside the workspace that points to a location outside the workspace, then forcing canonicalization to fail, for example because the target does not yet exist or because read permission is removed from a path component. Cursor then writes through the symlink to an arbitrary external path under the user’s privileges, bypassing the intended workspace boundary checks.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary file writes outside the workspace with the privileges of the logged-in user. This can be used to overwrite sensitive files, including Cursor components such as the cursorsandbox helper, so that subsequent agent terminal commands execute outside the sandbox. As a result, the vulnerability can lead to non-sandboxed remote code execution, compromise of the local developer workstation, persistence via modification of startup or helper files, and potential access to credentials or connected cloud/SaaS environments available to the user context.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, reduce exposure by restricting or disabling agent access to untrusted content sources such as MCP-connected services and web search results, limiting agent write capabilities, and monitoring for unexpected symlink creation inside workspaces. Additional defensive measures include enforcing strict filesystem permissions, validating that symlink targets resolve within the workspace, and preventing modification of sensitive helper binaries or startup files through OS-level controls where feasible.

Remediation

Patch, then assume compromise.

Upgrade Cursor to version 3.0 or later, which fixes the vulnerable path validation behavior. The fix should ensure that failed canonicalization is treated as a hard failure rather than falling back to the original path, and that symlink targets are validated against workspace boundaries before any write is permitted.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.