Vulnerability  ·  2026-07-03

DuneSlide — Cursor IDE Zero-Click Prompt Injection Sandbox Escape Enables Host RCE (CVE-2026-50548, CVE-2026-50549)

VulnerabilityHigh impactGlobalCVE-2026-50548
Cato AI Labs disclosed 'DuneSlide' on 1 July 2026: two critical RCE vulnerabilities (CVE-2026-50548, CVSS 9.8; CVE-2026-50549, CVSS 9.3) in Cursor IDE's terminal sandbox. Both flaws allow a zero-click prompt injection hidden in content the agent merely reads to escape the sandbox and execute arbitrary commands on the host. Cato privately reported the flaws on 19 February 2026; Cursor initially rejected them, then fixed both in the 3.0 release on 2 April. CVE IDs were assigned 5 June 2026 and publicly disclosed 1 July 2026. No in-the-wild exploitation was confirmed before disclosure. Cato stated it is disclosing similar structural flaws in other popular coding agents.
AI coding agents like Cursor execute terminal commands autonomously inside a sandbox designed to prevent unauthorised OS access. DuneSlide proves that sandbox isolation is insufficient when the agent itself can set execution parameters (working directory, symlink targets) that the sandbox trusts without validation. A single poisoned MCP tool response or web search result is enough to neutralise the sandbox and run any command as the developer — including stealing cloud credentials, SSH keys, and SaaS tokens present in the session. Because the attack requires no click or approval, standard social-engineering defences are bypassed entirely.
Attacker plants prompt-injection instructions inside content the AI agent reads on the user's behalf (e.g. a poisoned MCP server response or web search result). CVE-2026-50548 abuses the LLM-controllable working_directory parameter of Cursor's run_terminal_cmd tool to redirect writes outside the project sandbox, overwriting the cursorsandbox helper binary. CVE-2026-50549 exploits a fallback in Cursor's symlink canonicalization: when path resolution fails (target missing or read-access stripped), Cursor trusts the unvalidated symlink path, letting attacker-created symlinks reach the same sandbox binary. Either chain neutralises sandboxing and achieves full unsandboxed RCE on the developer's machine with zero user clicks.
Cursor IDE (anysphere/cursor) < 3.0
Update Cursor IDE to version 3.0 or later (patched 2 April 2026). Restrict AI agent access to untrusted external data sources; treat every MCP-connected service and web-search result as attacker-controlled input.
Sources
The Hacker News — Critical Cursor Flaws Could Let Prompt Injection Escape Sandbox and Run CommandsLet's Data Science — Researchers Disclose Zero-Click RCE Flaws In Cursor IDECSO Online — Sandbox bypass flaws in Cursor IDE highlight prompt injection as an RCE vectorCybersecurityNews — Critical Cursor IDE RCE Vulnerabilities Enable Prompt Injection in Zero-Click
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →