Critical Cursor Vulnerabilities Allow Prompt Injection to Escape Sandbox and Execute Commands
Two critical vulnerabilities, DuneSlide (CVE-2026-50548 and CVE-2026-50549), discovered in the AI code editor Cursor, enable prompt injection attacks to bypass security sandboxes and execute arbitrary commands on developer machines.

Two critical vulnerabilities, collectively named DuneSlide and tracked as CVE-2026-50548 and CVE-2026-50549, have been discovered in the AI-powered code editor Cursor. These flaws allow threat actors to exploit prompt injection techniques to bypass the application's security sandbox and execute arbitrary commands on a developer's machine without any user interaction. Rated 9.8 and 9.3 out of 10 respectively, these vulnerabilities pose a significant risk to the tool's user base, which includes a substantial portion of Fortune 500 companies.
The sandbox mechanism, introduced in Cursor's 2.x line, was designed to limit the scope of commands executed by the AI agent, preventing unintended damage to the system. However, the DuneSlide vulnerabilities exploit weaknesses in how Cursor handles external inputs, such as those from Model Context Protocol (MCP) services or web search results, to trick the AI agent into executing malicious commands.
CVE-2026-50548 specifically abuses the run_terminal_cmd tool by manipulating the working_directory parameter. By setting this parameter to a non-default path, an attacker can trick Cursor into allowing writes to arbitrary system locations. The exploit targets critical startup files or even the sandbox helper executable itself, effectively disabling the sandbox for subsequent commands.
CVE-2026-50549 targets a safety check designed to prevent shortcuts (symlinks) from pointing outside the project directory. The vulnerability lies in the fallback mechanism: when this check fails due to a non-existent target or restricted access along the path, Cursor incorrectly trusts the shortcut's original path. An attacker can leverage this to create a malicious symlink that bypasses the project boundary and writes to the same sandbox helper file, achieving sandbox escape.
Once the sandbox is neutralized, any command executed by the AI agent runs with the user's full privileges. This could lead to complete compromise of the developer's machine, including access to sensitive data, cloud environments, and SaaS workspaces the editor is connected to. The attack is particularly concerning as it requires no user clicks or explicit approvals, making it a 'zero-click' exploit.
Fortunately, the vulnerabilities have been patched by Cursor in version 3.0, released on April 2, 2026. All versions prior to 3.0 are affected. The company strongly advises all users to update their installations immediately to mitigate the risk. Cato AI Labs, the security firm that discovered the flaws, reported them on February 19, 2026, and the CVE IDs were assigned on June 5, 2026.
This is not the first time Cursor has faced such security issues. Previous vulnerabilities like CurXecute (CVE-2025-54135), MCPoison, and CVE-2026-26268 have also involved prompt injection and code execution risks, highlighting an ongoing challenge in securing AI-powered development tools. The DuneSlide vulnerabilities represent an escalation, as they specifically target and bypass the sandbox mechanisms implemented to address these earlier threats.
Cato AI Labs has indicated that similar flaws exist in other AI coding agents, suggesting a systemic issue rather than isolated incidents. This raises broader questions for developers of AI agents that interact with the open web: whether to adopt a default-hostile input model or continue a reactive, patch-by-patch approach to security.
The newly disclosed vulnerabilities, CVE-2026-50548 and CVE-2026-50549, are specifically detailed as "DuneSlide." They exploit how Cursor's sandbox handles working directory manipulation and symlink canonicalization, allowing attackers to overwrite critical files like the cursorsandbox binary. This enables unsandboxed RCE without any user interaction, requiring only the ingestion of attacker-controlled content via an innocuous prompt.