Cursor Desktop sandbox escape via symlink canonicalization bypass
CVE-2026-50549 is a critical sandbox escape vulnerability in Cursor Desktop affecting versions prior to 3.0. Cursor runs agent terminal commands in a sandbox by default and, before allowing an agent-initiated write, canonicalizes the destination path to verify that the real target remains داخل the workspace. The flaw is in the fallback behavior: when canonicalization fails, Cursor falls back to the original, unvalidated path and proceeds with the write without approval. A malicious agent can exploit this by creating a symlink inside the workspace that points to a location outside the workspace, then forcing canonicalization to fail, for example because the target does not yet exist or because read permission is removed from a path component. Cursor then writes through the symlink to an arbitrary external path under the user’s privileges, bypassing the intended workspace boundary checks.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A critical remote code execution vulnerability in Cursor IDE caused by a symlink canonicalization bypass in path resolution logic, enabling out-of-bounds file overwrite, sandbox escape, and privileged RCE.
A critical Cursor sandbox escape vulnerability caused by improper symlink destination validation fallback logic, allowing writes outside the project boundary and overwrite of the sandbox helper, leading to arbitrary command execution as the user.
A critical remote code execution vulnerability in Cursor IDE, disclosed as part of the DuneSlide research, where zero-click prompt injection through untrusted content ingestion can lead toward sandbox escape, arbitrary file write, and unsandboxed remote code execution.
A critical Cursor Desktop vulnerability involving sandbox escape via symlink abuse and failed path canonicalization, allowing arbitrary file write outside the workspace and potentially leading to remote code execution under the user's privileges.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.