Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-48124

CVE-2026-48124: Cursor Code Editor RCE Vulnerability

CVE-2026-48124 is a remote code execution flaw in Cursor Code Editor that allows malicious workspaces to execute unauthorized commands. This post explains its impact, affected versions, and mitigation steps.

Published:

CVE-2026-48124 Overview

CVE-2026-48124 affects Cursor, an AI-assisted code editor, in all versions prior to 3.0.0. The vulnerability allows Cursor Desktop to execute workspace-defined Claude hook commands from .claude/settings.local.json without dedicated user approval. A malicious workspace or agent-created file can configure hooks that run local commands in the user's context when an agent turn ends. The flaw is classified under [CWE-94] Improper Control of Generation of Code. Cursor resolved the issue in version 3.0.0.

Critical Impact

Attackers can achieve sandbox escape, agent-turn persistence, local data access, and follow-on host compromise by planting hook configurations in a workspace.

Affected Products

  • Cursor Desktop versions prior to 3.0.0
  • Workspaces containing .claude/settings.local.json hook definitions
  • Cursor environments where AI agents can create or modify workspace files

Discovery Timeline

  • 2026-06-15 - CVE-2026-48124 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-48124

Vulnerability Analysis

The vulnerability resides in how Cursor Desktop processes Claude hook configurations stored in .claude/settings.local.json within a workspace. Hooks are commands that execute around agent activities, including at the end of an agent turn. Cursor honored these workspace-scoped hooks without prompting the user for explicit approval. An attacker who controls the workspace contents, or an AI agent that writes files inside the workspace, can introduce arbitrary commands that the editor will execute locally in the user's security context.

Because the hook fires at the end of an agent turn, execution is triggered by ordinary developer activity rather than a deliberate user action. The result is local code execution outside the boundaries of the agent sandbox, with the privileges of the logged-in user.

Root Cause

The root cause is missing user-consent enforcement around workspace-defined hook commands. Cursor treated .claude/settings.local.json as trusted configuration even though the file lives inside untrusted workspace content. This is an instance of [CWE-94] Improper Control of Generation of Code, where attacker-controlled data is interpreted as executable instructions.

Attack Vector

Attack delivery is local and requires user interaction to open or operate on a malicious workspace. The exploitation flow proceeds as follows:

  1. An attacker plants .claude/settings.local.json containing hook commands inside a shared repository, template, or generated project.
  2. The developer opens the workspace in Cursor Desktop and interacts with the AI agent.
  3. At agent-turn completion, Cursor executes the hook command with the user's privileges.
  4. The command can establish persistence, exfiltrate data, or pivot to additional local resources.

A second path involves an AI agent itself writing the settings.local.json file as part of generated output, after which the same hook execution path triggers without the user reviewing the new file.

Detection Methods for CVE-2026-48124

Indicators of Compromise

  • Presence of unexpected .claude/settings.local.json files in repositories or scaffolded projects
  • Hook entries referencing shell commands, curl, wget, base64-encoded payloads, or outbound network endpoints
  • Child processes spawned by the Cursor Desktop binary that do not correspond to build, lint, or run tasks
  • Outbound connections from developer hosts initiated shortly after Cursor agent activity

Detection Strategies

  • Scan source-controlled repositories for .claude/settings.local.json and flag any hook definitions for review
  • Monitor process trees where Cursor or its helper processes spawn shells, interpreters, or scripting hosts
  • Correlate file-write events that create settings.local.json with subsequent process execution from the same workspace path
  • Alert on Cursor child processes executing commands outside the workspace directory

Monitoring Recommendations

  • Forward developer endpoint telemetry, including process creation and file-write events, to a central data lake for retrospective hunting
  • Track Cursor Desktop version inventory and alert on hosts running versions below 3.0.0
  • Enable network egress logging on developer subnets to identify exfiltration from hook-triggered commands

How to Mitigate CVE-2026-48124

Immediate Actions Required

  • Upgrade Cursor Desktop to version 3.0.0 or later on all developer endpoints
  • Audit existing repositories and workspace templates for .claude/settings.local.json files and remove untrusted hook entries
  • Restrict use of untrusted or third-party workspaces until upgrade verification is complete
  • Review AI agent activity logs for file writes that created settings.local.json prior to patching

Patch Information

The issue is fixed in Cursor 3.0.0. Refer to the GitHub Security Advisory GHSA-pc9j-3qc2-95wv for upstream remediation details.

Workarounds

  • Block creation of .claude/settings.local.json through endpoint file-integrity policy where Cursor is in use
  • Open untrusted repositories only inside isolated virtual machines or containers with no access to credentials or sensitive data
  • Disable AI agent file-write capabilities in Cursor configuration where the policy is available
  • Require code review of any committed .claude/ directory contents before opening the workspace locally
bash
# Configuration example: locate and remove workspace hook files before opening
find . -path '*/.claude/settings.local.json' -print -delete

# Verify installed Cursor version is patched
cursor --version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.