Cursor IDE DuneSlide flaws let prompt injection escape the sandbox with no user click
Two critical vulnerabilities in Cursor IDE let an attacker's instructions, hidden inside a connected service or a web search result, break out of the editor's safety sandbox and run arbitrary commands on a developer's machine. No click or approval is required from the user. The patch shipped in Cursor 3.0; every earlier version is still exposed.
What happened
Cato AI Labs published its disclosure on July 1, naming the pair DuneSlide. The two flaws are tracked as CVE-2026-50548 and CVE-2026-50549, each scoring 9.8 on the CVSS 3.x scale (9.3 under CVSS 4.0), per The Hacker News. Both exploit the same underlying path: plant instructions in something Cursor's agent reads on the developer's behalf, whether that's a Model Context Protocol (MCP) server response, a web search return, or a malicious file inside the project. Those instructions ride in silently alongside a legitimate request and the sandbox never asks for confirmation.
The Cursor 2.x sandbox was built specifically to contain this kind of risk: it limits which directories terminal commands can write to. DuneSlide defeats that containment through two separate mechanisms.
CVE-2026-50548 abuses the working_directory parameter on Cursor's run_terminal_cmd tool. When the agent sets a non-default working directory, Cursor adds that path to the sandbox's allowed-write list without independently validating it. Injected instructions point the parameter at a system path instead of the project folder. Overwriting the sandbox helper itself at /Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox on macOS (or shell startup files such as ~/.zshrc) disables the sandbox entirely for subsequent commands.
CVE-2026-50549 attacks the symlink-resolution check Cursor runs before writing. When the check fails because the target does not exist or read access has been removed from a directory in the path, Cursor falls back to trusting the symlink's in-project pointer rather than blocking the write. An attacker creates a symlink pointing outside the project and then forces the check to fail. Cursor writes straight through it to the same sandbox helper, producing the same escape through a different door.
Once the sandbox is gone, commands run as the developer's own account. That means full machine access and any cloud or SaaS workspaces the editor is authenticated into.
Timeline and patch status
Cato reported both flaws on February 19. Cursor's initial response, four days later, said the threat model did not cover MCP-based attacks. Cato pushed back on February 26; Cursor reopened both reports, triaged them, and shipped the fix in Cursor 3.0 on April 2. CVE IDs were assigned on June 5, per The Hacker News. Cursor published its own advisory for the symlink bug and the NVD record for CVE-2026-50549 is live. Cato reports no known exploitation in the wild.
All Cursor versions before 3.0 remain vulnerable. Cursor has said more than half the Fortune 500 use the tool, which means update urgency is broad.
Why it matters
The attack surface is anything Cursor's agent reads from an external source. A developer does not need to visit a malicious page, open a suspicious file, or approve a flagged request. Routine tasks like asking the agent to search the web or query an MCP-connected service are enough to trigger the injection chain.
DuneSlide is not an isolated incident for Cursor. Cato's earlier CurXecute (CVE-2025-54135, August 2025) exploited a planted Slack message to rewrite Cursor's MCP config and run commands even after the user rejected an edit prompt. Check Point Research's MCPoison (CVE-2025-54136) let an already-approved MCP config swap in new malicious commands silently. Each generation of sandbox improvements has been followed within months by a new escape.
Cato says it is disclosing similar sandbox-escape flaws in other AI coding agents. That means Cursor is likely not the only editor where prompt injection can reach the host OS.
What to watch next
The immediate action is version verification: check that Cursor is running 3.0 or later before the next agent session. On macOS, go to Cursor menu and select "About Cursor." On Linux, open a terminal and check the version string from the Cursor binary directly.
Beyond Cursor, watch for Cato's follow-on disclosures covering other AI coding agents. Copilot, Windsurf, and Cline have not yet been named, but Cato's framing treats the problem as structural to any tool that passes untrusted text to an agent with file-write access.
Sources
- DuneSlide: Two Critical RCE Vulnerabilities via Zero-Click Prompt Injection in Cursor IDE - Cato AI Labs, primary researcher disclosure
- Critical Cursor Flaws Could Let Prompt Injection Escape Sandbox and Run Commands - The Hacker News, Jul 1 2026
- Sandbox bypass flaws in Cursor IDE highlight prompt injection as an RCE vector - CSO Online
- Cursor AI Vulnerability Exposed Developer Devices - SecurityWeek