CVE-2026-48124

HIGH

Cursor Desktop sandbox escape via Claude hook configuration

Title source: cna

Description

Cursor is a code editor built for programming with AI. In versions prior to 3.0.0, the Cursor Desktop could execute workspace-defined Claude hook commands from .claude/settings.local.json without dedicated user approval. A malicious workspace or agent-created file could configure hooks that run local commands in the user's context when an agent turn ends. This could allow sandbox escape, persistence across turns, local data access, or follow-on compromise. This issue has been fixed in version 3.0.0.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/cursor/cursor/security/advisories/GHSA-pc9j-3qc2-95wv

Scores

CVSS v4 8.5

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Details

CWE

CWE-829 CWE-94

Status published

Products (1)

cursor/cursor < 3.0.0

Published Jun 15, 2026

Tracked Since Jun 16, 2026