SecurityDeveloper Tools

DuneSlide: Cursor IDE Gets Two CVSS 9.8 RCE Flaws via Prompt Injection

Fractured sandbox cube representing DuneSlide CVE-2026-50548 CVE-2026-50549 Cursor IDE prompt injection vulnerability

Two CVSS 9.8 flaws in Cursor IDE let a prompt injection — hidden inside a web search result or MCP server response — escape the app’s sandbox and execute arbitrary commands on your machine. No clicks. No approval dialogs. The attacker gets your system, plus every cloud credential and API key your editor is signed into. The fix is Cursor 3.0, released April 2. If you’re still on 2.x, you’re exposed right now.

What Is DuneSlide

DuneSlide is the name Cato AI Labs gave to two critical vulnerabilities — CVE-2026-50548 and CVE-2026-50549 — publicly disclosed July 2, 2026. Both score 9.8 on CVSS 3.1. Both require zero user interaction to trigger. And both follow the same basic principle: trick the agent into writing one file it shouldn’t be allowed to touch, and use that write to turn the sandbox off.

Cursor’s maker reports that more than half the Fortune 500 uses the tool. The scope here is not theoretical.

The Two Vulnerabilities

CVE-2026-50548: The Working Directory Trap

Cursor’s run_terminal_cmd tool accepts an optional working_directory parameter. Normally it defaults to the project root. When an agent sets it to anything else, Cursor adds that path to the sandbox’s allowed-write list — without any validation.

Steer the agent to point working_directory at /Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox, and the agent can overwrite the sandbox helper itself. Once that file is gone, every subsequent terminal command runs unsandboxed, with full access to your system. Startup files like ~/.zshrc, ~/.zshenv, and ~/Library/LaunchAgents are also viable targets for persistence.

CVE-2026-50549: The Symlink Fallback

Cursor validates write destinations by resolving symlinks and checking that the real path stays inside the project directory. The problem is what happens when resolution fails: Cursor gives up and trusts the symlink’s apparent in-project path instead.

An attacker creates a write-only symlink inside the project pointing to an external location. The target doesn’t need to exist — that’s what triggers the resolution failure. Cursor falls back to trusting the symlink, the agent writes through it to cursorsandbox, and the sandbox is neutralized.

How the Attack Reaches You

Neither exploit requires you to open a malicious file or click anything. The attack arrives through content your agent processes during normal use:

  • A web page returned by Cursor’s web search tool
  • A response from a connected MCP server

You issue a routine prompt. Cursor’s agent fetches external content, encounters embedded instructions, and executes them — because that’s what agents do. The sandbox was the only thing standing between that instruction and your system. Now it isn’t.

This Is the Fourth Time

Cato AI Labs is direct about the pattern: “The problem is structural rather than a string of one-offs.” Looking at Cursor’s CVE history makes it hard to disagree.

  • CurXecute (CVE-2025-54135, CVSS 8.6): A planted Slack message rewrote the MCP config and ran commands with no user confirmation required.
  • MCPoison (CVE-2025-54136, CVSS 7.2): One-time MCP approval used to quietly swap in malicious commands afterward.
  • CVE-2026-26268 (CVSS 9.9): A booby-trapped Git hook fired on the next git operation.
  • DuneSlide: Working directory manipulation and symlink bypass — technique four.

That’s 11-plus CVEs in roughly 18 months, with four named sandbox-escape techniques. The fixes for CVE-2026-50548 and -50549 close these two doors. They don’t close the door. There will be a technique five.

Fix It Now, Then Think About Architecture

The immediate action is straightforward: upgrade to Cursor 3.0. Both CVEs are patched. No active exploitation had been reported as of the July 2 disclosure, but CVSS 9.8 vulnerabilities do not stay unexploited for long after publication.

Beyond the patch, the defensive principle Cato AI Labs is advocating — and that the rest of the industry needs to adopt — is treating all external AI agent input as adversarial by default. That means:

  • Any content your agent fetches from the web is hostile until proven otherwise
  • Any MCP server response should be treated as untrusted input, not a trusted instruction
  • Write operations outside the project tree should require explicit human approval, always

Right now, Cursor and most AI coding agents handle this as a patch-when-caught problem. Itay Ravia, Head of Cato AI Labs, put it plainly: “Zero-click prompt injections can deftly maneuver isolated logic flaws to execute a full system takeover.” The gap isn’t a missed parameter check — it’s the assumption that external content is safe to execute against.

Upgrade. Audit your MCP connections. And pressure your AI tooling vendors to treat the adversarial input problem as an architectural requirement, not a backlog item.

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:Security