What happened
Cato AI Labs disclosed 'DuneSlide' on 1 July 2026: two critical RCE vulnerabilities (CVE-2026-50548, CVSS 9.8; CVE-2026-50549, CVSS 9.3) in Cursor IDE's terminal sandbox. Both flaws allow a zero-click prompt injection hidden in content the agent merely reads to escape the sandbox and execute arbitrary commands on the host. Cato privately reported the flaws on 19 February 2026; Cursor initially rejected them, then fixed both in the 3.0 release on 2 April. CVE IDs were assigned 5 June 2026 and publicly disclosed 1 July 2026. No in-the-wild exploitation was confirmed before disclosure. Cato stated it is disclosing similar structural flaws in other popular coding agents.
Why it matters
AI coding agents like Cursor execute terminal commands autonomously inside a sandbox designed to prevent unauthorised OS access. DuneSlide proves that sandbox isolation is insufficient when the agent itself can set execution parameters (working directory, symlink targets) that the sandbox trusts without validation. A single poisoned MCP tool response or web search result is enough to neutralise the sandbox and run any command as the developer — including stealing cloud credentials, SSH keys, and SaaS tokens present in the session. Because the attack requires no click or approval, standard social-engineering defences are bypassed entirely.
Attack vector
Attacker plants prompt-injection instructions inside content the AI agent reads on the user's behalf (e.g. a poisoned MCP server response or web search result). CVE-2026-50548 abuses the LLM-controllable working_directory parameter of Cursor's run_terminal_cmd tool to redirect writes outside the project sandbox, overwriting the cursorsandbox helper binary. CVE-2026-50549 exploits a fallback in Cursor's symlink canonicalization: when path resolution fails (target missing or read-access stripped), Cursor trusts the unvalidated symlink path, letting attacker-created symlinks reach the same sandbox binary. Either chain neutralises sandboxing and achieves full unsandboxed RCE on the developer's machine with zero user clicks.
Affected systems
Cursor IDE (anysphere/cursor) < 3.0
Mitigation
Update Cursor IDE to version 3.0 or later (patched 2 April 2026). Restrict AI agent access to untrusted external data sources; treat every MCP-connected service and web-search result as attacker-controlled input.