CVE-2026-48124: Cursor Desktop Sandbox Escape via Claude Hook

A high-severity sandbox escape vulnerability tracked as CVE-2026-48124 (GHSA-pc9j-3qc2-95wv) has been disclosed in Cursor Desktop, the widely adopted AI-powered code editor built on top of VS Code by Anysphere.

The flaw allows malicious or agent-created workspace files to configure Claude hooks that execute arbitrary local operating system commands without requiring explicit user approval, effectively breaking the trust boundary that Cursor’s sandboxed agent environment is designed to enforce.

Vulnerability Overview

The vulnerability was published last month by researcher zehuan-cursor under GitHub Security Advisory GHSA-pc9j-3qc2-95wv.

The core issue lies in how Cursor Desktop processed Claude hook commands sourced from workspace-level configuration files, specifically .claude/settings.local.json, without subjecting them to the same authorization pipeline applied to other agent shell commands.

Claude hooks are event-driven automation triggers built into the Claude agentic framework. When configured, hooks fire at specific lifecycle points, such as the end of an agent turn (Stop), and can execute arbitrary system commands on the developer’s host machine.

Prior to Cursor 3.0.0, workspace-defined hooks stored in .claude/settings.local.json were loaded and executed by the Cursor agent without prompting the user for dedicated approval.

This behavior is in direct contrast to how hooks are expected to function: they should be treated as privileged operations requiring explicit out-of-band consent, not silently inherited from workspace files that any collaborator, repository author, or agent itself could have created.

The attack surface maps to a straightforward but high-impact exploitation chain:

• Stage 1 – Hook Placement: A threat actor, a compromised dependency, or the Cursor agent itself (via indirect prompt injection) writes a malicious .claude/settings.local.json file into the workspace directory. This file contains one or more hook definitions — for example, a Stop hook that triggers a shell command at the end of every agent response turn.
• Stage 2 – Silent Execution: When an agent turn completes, Cursor reads the workspace-level hook configuration and executes the defined commands in the user’s OS context, with no approval dialog, no notification banner, and no entry in the agent command history that would ordinarily flag shell execution.
• Stage 3 – Post-Exploitation: Because the hook persists in the workspace file, it re-executes on every subsequent agent turn. The attacker achieves persistence, can exfiltrate data (credentials, API tokens, environment variables), pivot to other accessible systems, or deploy follow-on malware, all from a file that looks like routine Claude tooling configuration.

This pattern closely mirrors a parallel class of Cursor sandbox escape vulnerabilities disclosed earlier in 2026. CVE-2026-26268 demonstrated that Cursor agents could write to .git/hooks/ directories without restriction, allowing persistent RCE triggered on routine Git operations.

CVE-2026-25725 in Claude Code itself showed that unprotected .claude/settings.json creation inside a bubblewrap sandbox enabled malicious SessionStart hooks to run at host privilege on restart. CVE-2026-48124 represents the same class of trust boundary violation (CWE-501), this time targeting Cursor’s parsing of workspace-local Claude settings.

The vulnerability carries a CVSS v4.0 base score in the High range, with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Key scoring factors include:

The Passive user interaction requirement is particularly significant: the victim does not need to click, confirm, or execute anything deliberately. Simply resuming an agentic coding session in an affected workspace is sufficient to trigger the hook payload.

Affected Versions and Patch

All versions of Cursor Desktop up to and including 2.4.37 are confirmed vulnerable. The fix is delivered in Cursor Desktop 3.0.0, where workspace-sourced Claude hook commands now require dedicated user approval and are subject to the same execution policy controls as other agent shell commands. Anysphere coordinated the disclosure through GitHub’s security advisory process prior to public release.

Mitigation

Security teams and individual developers should take the following actions immediately:

• Update Cursor Desktop to version 3.0.0 or later. Navigate to Help → Check for Updates inside Cursor, or download the latest release from the official Cursor website.
• Audit .claude/settings.local.json in all workspaces opened with Cursor ≤ 2.4.37, especially those cloned from public repositories or shared environments. Look for Stop, PreToolUse, PostToolUse, or SessionStart hook entries that reference shell commands or interpreters.
• Treat any unexpected hook commands as indicators of compromise. Rotate API keys, session tokens, and any credentials stored in environment variables or local config files if a suspicious hook is found.
• For enterprise deployments, push Cursor 3.0.0 fleet-wide via MDM or deployment tooling, and implement read-only file controls over .claude/ directories until the update is confirmed across all developer endpoints.
• Apply mandatory access controls (AppArmor or SELinux profiles) to restrict write access to .claude/settings.local.json for any legacy Cursor installations that cannot be immediately updated.

CVE-2026-48124 is part of a growing and alarming pattern in AI-powered development environments. In 2025 alone, researchers documented silent code execution via disabled Workspace Trust defaults (CVE-2025-54135).

Agent-initiated writes outside workspace scope (CVE-2025-32018), and 94 unpatched Chromium CVEs embedded in Cursor and Windsurf installations exposing over 1.8 million developers.

The common thread across all these findings is that AI agents operating with broad file-system and shell access create a dramatically expanded attack surface, one that existing IDE security models were not designed to address.

The Cursor agent’s autonomy, while productive, means that a single malicious instruction injected into any content the agent reads, a repository README, a GitHub issue body, a remote MCP tool response, can be sufficient to plant persistent, silently executing payloads.

Developers working in agentic coding environments should treat workspace configuration files with the same scrutiny applied to executable code.

FAQ

Q1: What is CVE-2026-48124?
CVE-2026-48124 is a high-severity sandbox escape vulnerability in Cursor Desktop ≤ 2.4.37 that allows workspace-defined Claude hook commands in .claude/settings.local.json to execute arbitrary OS commands without user approval when an agent turn ends.

Q2: Do I need to do anything if I’m already on Cursor 3.0.0?
No — Cursor 3.0.0 fully patches this issue by enforcing dedicated approval requirements for all workspace-sourced hook commands, aligning them with existing agent shell execution policies.

Q3: Can this vulnerability be exploited remotely?
The attack vector is local, but a remote attacker can stage exploitation by planting a malicious .claude/settings.local.json through a public repository, a shared workspace, or indirect prompt injection into the Cursor agent.

Q4: How do I check if a hook has already been planted in my workspace?
Inspect .claude/settings.local.json in any workspace opened with a vulnerable Cursor version and look for hook keys (Stop, PreToolUse, etc.) referencing shell commands — any such entry not explicitly created by you should be treated as suspicious.

Site: thecybrdef.com

For more insights and updates, follow us on Google News, Twitter, and LinkedIn.

About the Author

John

Author

John is an independent cybersecurity researcher covering vulnerabilities, malware campaigns, and emerging threats in the cybersecurity landscape.

Visit Website View All Posts