Vulnerability  ·  2026-07-04

Cursor IDE 'DuneSlide' — Zero-Click Prompt Injection Escapes Sandbox for OS-Level RCE (CVE-2026-50548 / CVE-2026-50549)

VulnerabilityHigh impactGlobalCVE-2026-50548
Cato AI Labs disclosed two independent critical RCE vulnerabilities (both CVSS 9.8) in the Cursor AI code editor, collectively named 'DuneSlide', publicly released 2026-07-01/03. CVE-2026-50548 abuses the working_directory parameter of Cursor's run_terminal_cmd tool: when an LLM agent sets a non-default working directory (steerable via prompt injection from an MCP server response or web search result), Cursor blindly adds that path to the sandbox's allowed-write list, enabling overwrite of the cursorsandbox binary and all subsequent shell commands run without sandboxing. CVE-2026-50549 abuses a fallback in symlink canonicalization: when path resolution fails (non-existent or read-inaccessible path), Cursor trusts the un-canonicalized symlink path, letting an injected instruction create a write-only symlink from inside the project to the sandbox helper binary outside it, achieving the same escape. Both require zero user clicks — injected instructions hidden in MCP server output or web search results trigger the full chain.
Cursor is used by more than half of the Fortune 500. A developer simply asking Cursor to research a library or debug code while connected to a malicious (or compromised) MCP server is enough to achieve full OS-level code execution with the developer's privileges — exposing SSH keys, git credentials, AWS/GCP/Azure tokens, CI/CD pipelines, and any production system the developer can reach. Cato stated it is disclosing similar flaws in other coding agents, suggesting a structural category-wide trust-boundary gap.
Prompt injection embedded in MCP server responses, web search results, or attacker-crafted project files causes Cursor's LLM agent to set an arbitrary working directory or create a malicious symlink, overwriting the cursorsandbox binary and achieving unrestricted RCE on the developer's host OS.
Cursor IDE < 3.0 (all 2.x versions); fixed in Cursor 3.0 (released April 2026)
Update Cursor to version 3.0 or later immediately. Audit MCP server integrations and remove untrusted or unnecessary connectors. Avoid allowing Cursor to fetch external content from unvetted sources. Cato advisory: https://www.catonetworks.com/blog/duneslide-two-critical-rce-vulnerabilities/
Cato Networks AI Labs — DuneSlide: Two Critical RCE Vulnerabilities (2026-07-01)SecurityWeek — Critical Cursor AI Code Editor Flaws Could Lead to OS-Level RCE (2026-07-03)CSO Online — Sandbox bypass flaws in Cursor IDE highlight prompt injection as RCE vector (2026-07-01)NVD — CVE-2026-50548
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →