CVE-2026-48124

Vulnerability

Cursor Desktop versions prior to 3.0.0 could execute workspace-defined Claude hook commands from .claude/settings.local.json without dedicated user approval [1]. A malicious workspace or an agent-created file could configure hooks that run local commands in the user's context when an agent turn ends [1].

Exploitation

An attacker must convince the user to open a malicious workspace or an agent-created file that contains a crafted .claude/settings.local.json. The workspace can define hook commands that execute automatically when an agent turn ends, without any additional user interaction beyond opening the workspace [1]. This allows the attacker to execute arbitrary commands in the user's local context.

Impact

Successful exploitation enables sandbox escape, persistence across turns, local data access, or follow-on compromise [1]. The attacker achieves code execution in the user's context, potentially gaining access to files, credentials, and the ability to install malware or pivot to other systems.

Mitigation

The issue has been fixed in Cursor Desktop version 3.0.0 [1]. Users should update to the patched version immediately. Workspace-sourced hook commands now require appropriate approval and are subject to the same execution policy controls as other agent shell commands [1]. If upgrading is not possible, users should avoid opening workspaces or agent-created files from untrusted sources.