
Cato AI Labs has disclosed two critical vulnerabilities in Cursor IDE — dubbed DuneSlide — that let a prompt injection silently escape the editor’s sandbox and run arbitrary commands on a developer’s machine. CVE-2026-50548 and CVE-2026-50549 both carry a CVSS score of 9.8. No click required. No malicious binary needed. All it takes is Cursor’s AI agent reading a poisoned web search result or a compromised MCP server response. Both bugs are fixed in Cursor 3.0, released April 2. If you haven’t updated, close this tab, update first, and come back.
How DuneSlide Works
The attack exploits two independent flaws in how Cursor handles its sandboxed terminal agent. The agent can run shell commands on your machine on your behalf — and the sandbox is supposed to limit where it can write. DuneSlide breaks that limit.
CVE-2026-50548 targets the working_directory parameter on Cursor’s internal run_terminal_cmd tool. This is an optional, LLM-controlled field that sets where a terminal command runs. The bug: when the agent sets this parameter to any path, Cursor adds that path to the allowed-write list with no validation. A prompt injection can steer the agent to point working_directory at /Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox on macOS. Overwrite that binary, and the sandbox is gone for every subsequent command in the session.
CVE-2026-50549 is a separate flaw in Cursor’s symlink resolution. Before writing a file, Cursor checks whether the real destination is inside the project directory by resolving any symlinks. The bug is the fallback: when resolution fails — because the target doesn’t exist, or an attacker removes read permissions from a directory in the path — Cursor gives up and trusts the unvalidated symlink path. Point the symlink outward, engineer a resolution failure, and Cursor writes wherever the attacker says.
Either vulnerability alone is enough to escape the sandbox.
The Entry Point: MCP and Web Search
Neither flaw requires the attacker to touch your machine. The injection rides in through content the AI agent reads on your behalf. Cato identified two primary entry points.
The first is MCP server responses. Cursor integrates with Model Context Protocol servers that supply tools and data to the agent. A malicious or compromised MCP server can embed injection payloads in its responses. The agent processes them as instructions.
The second is web search results. When you ask Cursor’s agent to look up a library, a framework, or documentation, it fetches and processes web pages. A poisoned page that ranks in results becomes an injection vector — no user interaction required beyond the initial prompt.
Repositories work too. A crafted README or config file in an untrusted repo can carry the injection payload. Open the repo in Cursor, let the agent touch the files, and the chain completes.
What an Attacker Gets
Once the sandbox is down, the next terminal command executes as you. That means everything you have access to: local files, shell environment variables (where AWS keys, GCP tokens, and API keys live), SSH keys, and any SaaS workspace Cursor is authenticated to — GitHub, GitLab, Jira, whatever your setup includes. This is full machine compromise, not a limited-scope file read.
Cursor Is Not the Only One
This is where the story gets uncomfortable for the industry. Cursor is not uniquely negligent — it is one of several vendors that shipped AI agent features without a coherent workspace trust model.
Amazon Q Developer had CVE-2026-12957 (CVSS 8.5): it automatically executed MCP server configs embedded in any repository a developer opened, running them as child processes that inherited the full shell environment, including AWS credentials. Patched May 12. Claude Code and Windsurf both had similar workspace configuration auto-execution issues. OX Security found 10 CVEs across the MCP ecosystem covering more than 200,000 exposed servers, with successful RCE demonstrated against six live production platforms.
The root cause is consistent across all of them: the Model Context Protocol specification does not define workspace trust. Every vendor filled that gap independently. Most filled it wrong.
What You Should Do Now
The immediate action is straightforward: update Cursor to 3.0 or later. Every version before 3.0 is affected, and the patch is already out. If you’re on a managed machine where updates need approval, escalate this one.
Beyond the update, a few practices matter:
- Audit connected MCP servers. Only keep servers you control or have explicitly vetted. Disconnect anything unfamiliar.
- Treat untrusted repositories as untrusted. Opening a random repo in Cursor with the agent enabled is now a meaningful risk decision, not a neutral action.
- Consider disabling web search in Cursor’s agent for high-security work environments, at least until you understand your threat model.
- Review what workspaces and credentials Cursor has access to. Limit the blast radius of any future exploitation by scoping Cursor’s permissions tightly.
Cursor also launched Security Review in beta on April 30 — two always-on security agents built into the IDE that can flag vulnerabilities as you write. Worth enabling once you’re on 3.0.
The Bigger Point
Prompt injection is not a chatbot safety problem. DuneSlide confirms what security researchers have been arguing since early 2026: prompt injection is a first-class software security vulnerability class that can deliver the same outcome as a traditional exploit. The attack surface is anything the AI agent reads. The payload is text. The result is RCE.
AI coding tools now operate with the same trust level and system access as a browser or an IDE plugin — which means they need the same threat modeling. “Safety guardrails” is the wrong frame. Exploit mitigations, sandboxing, workspace trust models, and least-privilege access are the right frame.
The DuneSlide research and patch are out. But the pattern it represents is not going away. Expect more CVEs in this category across every AI coding tool that integrates with MCP or external content sources. That list is long.













