EXECUTIVE SUMMARY:
Two vulnerabilities have been identified in the Cursor AI-enabled integrated development environment (IDE) affecting versions. These flaws consist of sandbox bypass vulnerabilities that can be exploited through prompt injection to achieve remote code execution (RCE) on the underlying host system. By leveraging untrusted content sources such as web search results or MCP servers, attackers can manipulate the AI agent to break out of its restricted environment. This poses a significant business risk potentially allowing adversaries to fully compromise developer workstations exfiltrate sensitive code and maintain persistent access without requiring additional user interaction.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Two vulnerabilities have been identified in the Cursor AI-enabled integrated development environment (IDE) affecting versions. These flaws consist of sandbox bypass vulnerabilities that can be exploited through prompt injection to achieve remote code execution (RCE) on the underlying host system. By leveraging untrusted content sources such as web search results or MCP servers, attackers can manipulate the AI agent to break out of its restricted environment. This poses a significant business risk potentially allowing adversaries to fully compromise developer workstations exfiltrate sensitive code and maintain persistent access without requiring additional user interaction.[emaillocker id="1283"]
CVE-2026-50548 with a CVSS score of 9.8 - It is a Cursor IDE sandbox bypass vulnerability where the agent can manipulate the working_directory parameter to write files outside the intended workspace and achieve non-sandboxed remote code execution under the user’s privileges.
CVE-2026-50549 with a CVSS score of 9.8 - It allows Cursor’s agent to abuse symlink path handling and failed canonicalization to write outside the workspace, causing sandbox bypass and non-sandboxed RCE.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://www.csoonline.com/article/4191923/sandbox-bypass-flaws-in-cursor-ide-highlight-prompt-injection-as-an-rce-vector.html