What happened
A second sandbox escape in Cursor prior to 3.0: during agent Write operations the sandbox canonicalizes the target path to validate it stays within the workspace, but if canonicalization fails it silently falls back to the original path and permits the write. This means an attacker can supply a path that triggers a canonicalization failure, bypassing the boundary entirely and writing arbitrary files outside the workspace with the user's privileges.
Why it matters
This is a distinct bypass from CVE-2026-50548 affecting the same release line, confirming a systemic weakness in Cursor's sandbox design. Two independent escape paths published simultaneously indicate the sandbox was not comprehensively audited before v3.0. The combined risk means any unpatched Cursor installation running agent tasks is fully exposed to sandbox escape via prompt injection.
Attack vector
When path canonicalization fails (e.g., on a non-existent or specially crafted path), the sandbox falls back to the original unvalidated path and allows the write to proceed. A malicious agent can craft a path that causes canonicalization to fail, bypassing the workspace boundary check and writing files anywhere on the host filesystem.
Affected systems
Cursor AI code editor < 3.0
Mitigation
Upgrade to Cursor 3.0. Advisory: https://github.com/cursor/cursor/security/advisories/GHSA-3v8f-48vw-3mjx