Cato AI Labs disclosed DuneSlide, a pair of critical remote code execution vulnerabilities in Cursor IDE — tracked as CVE-2026-50548 and CVE-2026-50549, each scored 9.8 CVSS (9.3 under CVSS 4.0). Both let an attacker who controls no more than a web page or an MCP server response turn Cursor’s own command sandbox into the mechanism that disables it, achieving fully unsandboxed code execution with zero clicks beyond the developer’s original, entirely benign prompt. Cursor is used by more than half of the Fortune 500, making this one of the more consequential AI-coding-agent bugs disclosed this year.
What Happened
Cursor sandboxes the shell commands its AI agent runs on a developer’s behalf, restricting writes to the project directory. DuneSlide is two independent ways to defeat that sandbox using prompt injection — no IDE permission dialog, no explicit user approval of the malicious action, just an ordinary prompt that causes the agent to ingest attacker-controlled text from an untrusted source (an MCP tool response, a scraped web page, a poisoned search result) mid-task.
CVE-2026-50548 — working-directory escape. Cursor’s run_terminal_cmd tool accepts an optional, LLM-controlled working_directory parameter, and the sandbox grants write access to whatever directory that parameter names. A prompt injection can steer the agent into setting working_directory to a path outside the project root — including the app’s own resources directory — giving the agent write access to files it was never supposed to touch.
CVE-2026-50549 — symlink path-resolution fallback. Before writing a file, Cursor resolves symlinks to confirm the real target sits inside the project. The bug is in the failure path: if that resolution check fails — because the target doesn’t exist yet, or the attacker has stripped read access from a directory in the path — Cursor gives up on verification and trusts the symlink’s apparent in-project path instead of the real destination.
Chained together, an attacker plants a symlink (or exploits the working-directory redirect directly) to overwrite cursorsandbox, the helper binary at /Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox that enforces the sandbox boundary in the first place. Once that binary is corrupted, every subsequent terminal command the agent runs executes fully unsandboxed on the host — arbitrary file writes, credential theft, and RCE with the developer’s own privileges.
Impact
Any Cursor installation prior to version 3.0 is affected. The realistic attack path doesn’t require social engineering beyond a developer’s routine agent usage: ask Cursor to summarize a webpage, debug against a public API, or use an MCP server that touches external content, and a payload embedded in that content can trigger the chain silently. Because the exploit executes with the developer’s local privileges, the blast radius includes SSH keys, cloud CLI credentials, source code, and CI/CD secrets stored on the workstation — and by extension, anything those credentials can reach.
This lands in the same category as the recently disclosed GuardFall shell-guard bypasses across other open-source coding agents: AI coding assistants that execute shell commands on attacker-reachable input are becoming a reliable path from “read untrusted content” to “host compromise,” and vendors are still catching up on sandboxing that assumes the LLM’s own tool-call parameters are adversarial input.
Disclosure Timeline
Cato AI Labs reported both issues to Cursor on February 19; the initial report was rejected on February 23, then escalated and reopened for triage on February 26. Cursor shipped the working-directory fix in Cursor 3.0 on April 2, with the symlink-resolution fix following by June 1. CVE IDs were assigned June 5, and the writeup went public July 1.
Mitigation
- Upgrade to Cursor 3.0 or later immediately. Both bugs are fixed; every earlier version is exploitable.
- Treat MCP server responses and fetched web content as untrusted input to agentic tools, the same way you’d treat any other injectable text — an agent that can read it can be steered by it.
- Restrict agent-accessible credentials. Don’t run coding agents with broad access to SSH keys, cloud credentials, or CI/CD secrets on the same machine if avoidable; scope what a compromised agent session can reach.
- Audit for unexpected modifications to sandbox helper binaries on developer workstations where Cursor was run pre-3.0, particularly
cursorsandboxon macOS installs. - Review agent auto-run/auto-approve settings — the less a human reviews before a terminal command executes, the more this class of bug matters.
Further reading: Cato Networks’ DuneSlide writeup and coverage via The Hacker News and CSO Online.