Two CVSS 9.8 flaws in Cursor IDE let a prompt injection — hidden inside a web search result or MCP server response — escape the app’s sandbox and execute arbitrary commands on your machine. No clicks. No approval dialogs. The attacker gets your system, plus every cloud credential and API key your editor is signed into. The fix is Cursor 3.0, released April 2. If you’re still on 2.x, you’re exposed right now.
What Is DuneSlide
DuneSlide is the name Cato AI Labs gave to two critical vulnerabilities — CVE-2026-50548 and CVE-2026-50549 — publicly disclosed July 2, 2026. Both score 9.8 on CVSS 3.1. Both require zero user interaction to trigger. And both follow the same basic principle: trick the agent into writing one file it shouldn’t be allowed to touch, and use that write to turn the sandbox off.
Cursor’s maker reports that more than half the Fortune 500 uses the tool. The scope here is not theoretical.
The Two Vulnerabilities
CVE-2026-50548: The Working Directory Trap
Cursor’s run_terminal_cmd tool accepts an optional working_directory parameter. Normally it defaults to the project root. When an agent sets it to anything else, Cursor adds that path to the sandbox’s allowed-write list — without any validation.
Steer the agent to point working_directory at /Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox, and the agent can overwrite the sandbox helper itself. Once that file is gone, every subsequent terminal command runs unsandboxed, with full access to your system. Startup files like ~/.zshrc, ~/.zshenv, and ~/Library/LaunchAgents are also viable targets for persistence.
CVE-2026-50549: The Symlink Fallback
Cursor validates write destinations by resolving symlinks and checking that the real path stays inside the project directory. The problem is what happens when resolution fails: Cursor gives up and trusts the symlink’s apparent in-project path instead.
An attacker creates a write-only symlink inside the project pointing to an external location. The target doesn’t need to exist — that’s what triggers the resolution failure. Cursor falls back to trusting the symlink, the agent writes through it to cursorsandbox, and the sandbox is neutralized.
How the Attack Reaches You
Neither exploit requires you to open a malicious file or click anything. The attack arrives through content your agent processes during normal use:
- A web page returned by Cursor’s web search tool
- A response from a connected MCP server
You issue a routine prompt. Cursor’s agent fetches external content, encounters embedded instructions, and executes them — because that’s what agents do. The sandbox was the only thing standing between that instruction and your system. Now it isn’t.
This Is the Fourth Time
Cato AI Labs is direct about the pattern: “The problem is structural rather than a string of one-offs.” Looking at Cursor’s CVE history makes it hard to disagree.
- CurXecute (CVE-2025-54135, CVSS 8.6): A planted Slack message rewrote the MCP config and ran commands with no user confirmation required.
- MCPoison (CVE-2025-54136, CVSS 7.2): One-time MCP approval used to quietly swap in malicious commands afterward.
- CVE-2026-26268 (CVSS 9.9): A booby-trapped Git hook fired on the next
gitoperation. - DuneSlide: Working directory manipulation and symlink bypass — technique four.
That’s 11-plus CVEs in roughly 18 months, with four named sandbox-escape techniques. The fixes for CVE-2026-50548 and -50549 close these two doors. They don’t close the door. There will be a technique five.
Fix It Now, Then Think About Architecture
The immediate action is straightforward: upgrade to Cursor 3.0. Both CVEs are patched. No active exploitation had been reported as of the July 2 disclosure, but CVSS 9.8 vulnerabilities do not stay unexploited for long after publication.
Beyond the patch, the defensive principle Cato AI Labs is advocating — and that the rest of the industry needs to adopt — is treating all external AI agent input as adversarial by default. That means:
- Any content your agent fetches from the web is hostile until proven otherwise
- Any MCP server response should be treated as untrusted input, not a trusted instruction
- Write operations outside the project tree should require explicit human approval, always
Right now, Cursor and most AI coding agents handle this as a patch-when-caught problem. Itay Ravia, Head of Cato AI Labs, put it plainly: “Zero-click prompt injections can deftly maneuver isolated logic flaws to execute a full system takeover.” The gap isn’t a missed parameter check — it’s the assumption that external content is safe to execute against.
Upgrade. Audit your MCP connections. And pressure your AI tooling vendors to treat the adversarial input problem as an architectural requirement, not a backlog item.













