Researchers have disclosed two critical security vulnerabilities in Cursor, an AI powered code editor, that could allow attackers to bypass the application’s built in sandbox protections and execute arbitrary commands on a developer’s computer through a prompt injection attack. The flaws, discovered by Cato AI Labs and collectively named DuneSlide, have been assigned CVE 2026 50548 and CVE 2026 50549. Both vulnerabilities carry a CVSS score of 9.8 under version 3.1 and 9.3 under the newer CVSS 4.0 standard. The issues have already been addressed in Cursor version 3.0, released on April 2, while every version before 3.0 remains affected. According to Cursor, more than half of Fortune 500 companies use the editor, making timely updates important for organizations and individual developers.
Cursor introduced sandboxing by default in its 2.x release series to restrict the actions performed by terminal commands generated by its AI agent. The sandbox was designed to isolate command execution and limit access to sensitive parts of the operating system, reducing the impact of unintended or malicious instructions. However, the DuneSlide vulnerabilities demonstrate methods to escape those restrictions. The attack begins with prompt injection, where hidden instructions are embedded inside content that the AI agent processes on behalf of the user. These instructions can originate from sources such as services connected through Model Context Protocol, commonly known as MCP, or from web pages returned during online searches. A developer only needs to make a normal request to the AI assistant, while the concealed instructions are processed automatically without requiring additional interaction or approval. Researchers describe this as a zero click attack because it does not rely on user confirmation. In both vulnerabilities, the injected instructions persuade the AI agent to write a file outside its intended location, allowing attackers to disable the sandbox before executing subsequent commands with the user’s privileges.
The first vulnerability, tracked as CVE 2026 50548, exploits the working_directory parameter available in Cursor’s run_terminal_cmd tool. While the sandbox allows file writes within a command’s working directory, researchers found that the application automatically trusted alternative paths specified through this optional parameter without proper validation. This behavior enabled an attacker to redirect file writes to sensitive system locations instead of the active project directory. On macOS, researchers demonstrated that overwriting the cursorsandbox helper located inside the Cursor application package effectively disabled sandbox protections for future commands. They also noted that shell startup files such as .zshrc could become potential targets. The second vulnerability, CVE 2026 50549, takes advantage of a weakness in Cursor’s symbolic link validation process. Before writing files, the application resolves symbolic links to verify that the final destination remains inside the project directory. However, if that verification fails because the destination does not exist or access permissions prevent the check from completing, Cursor falls back to trusting the symbolic link’s original project path. Attackers can exploit this behavior by creating a symbolic link that points outside the project and intentionally causing the validation process to fail, allowing unauthorized writes to the same sandbox helper. Once the helper is modified, subsequent AI generated terminal commands execute without sandbox restrictions and inherit the developer’s system privileges, potentially providing access to local resources as well as connected cloud and SaaS environments.
According to Cato AI Labs, there is currently no evidence that either vulnerability has been exploited in real world attacks. The disclosure is based on security research rather than observations of active campaigns. Researchers reported both issues to Cursor on February 19. Cato stated that the initial reports were rejected several days later because Cursor considered misuse of MCP servers outside its threat model. Following additional discussions on February 26, the reports were reopened, reviewed and ultimately fixed in Cursor version 3.0. The associated CVE identifiers were assigned on June 5, and Cursor later published an advisory covering the symbolic link vulnerability while the National Vulnerability Database also listed the flaws. DuneSlide follows several previously disclosed Cursor security issues involving prompt injection and code execution, including CurXecute, MCPoison and CVE 2026 26268, each targeting different security controls within the editor. Cato AI Labs stated that similar weaknesses are being identified in other AI coding assistants and believes the broader challenge lies in how AI agents interact with untrusted external content rather than isolated implementation errors. The findings highlight the importance of validating every external input processed by AI powered development tools while ensuring security mechanisms remain effective even when handling unexpected or manipulated data.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.