CVE-2026-48124: Cursor is a code editor built for programming with AI. In versions prior to 3.0.0, the Cursor Desktop could execute work
Summary
Cursor, a code editor designed for programming with AI assistance, had a security flaw in versions before 3.0.0 where it would automatically run commands from a settings file (.claude/settings.local.json) without asking the user first. An attacker could create a malicious workspace or file that executes harmful commands on the user's computer when the AI completes a task, potentially allowing them to escape security restrictions, maintain access across sessions, steal local data, or cause further damage.
Solution / Mitigation
Update Cursor to version 3.0.0 or later. According to the source, 'This issue has been fixed in version 3.0.0.'
Vulnerability Details
EPSS: 0.0%
June 15, 2026
Classification
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-48124
First tracked: June 15, 2026 at 08:09 PM
Classified by LLM (prompt v3) · confidence: 92%