Critical RCE Vulnerabilities in Cursor IDE Allow Zero-Click Prompt Injection

Two critical remote code execution (RCE) vulnerabilities have been identified in Cursor IDE, an AI-powered development environment utilized by over half of Fortune 500 companies. These flaws, collectively referred to as “DuneSlide,” have been assigned CVE-2026-50548 and CVE-2026-50549, each carrying a severity score of 9.8. Exploitation of these vulnerabilities enables attackers to escape Cursor’s sandbox, potentially compromising both local machines and connected SaaS workspaces.

Traditionally, prompt injection attacks have been associated with manipulating the output of large language models (LLMs). However, these newly discovered vulnerabilities demonstrate that such attacks can extend into conventional code paths, previously not considered part of the attack surface. This expansion significantly broadens the potential impact of prompt injection techniques.

Vulnerability #1: Working Directory Manipulation

CVE-2026-50548 arises from the manner in which Cursor’s sandbox grants write access to a command’s working directory. Within Cursor, the working_directory parameter is optional and controlled by the LLM. A prompt injection can manipulate the agent to set this parameter to an attacker-specified path outside the project root. This manipulation allows the attacker to write to sensitive locations, such as the cursorsandbox binary, effectively neutralizing sandbox restrictions for subsequent commands within the same injection.

Vulnerability #2: Symlink Canonicalization Bypass

CVE-2026-50549 is an independent flaw related to Cursor’s path resolution logic. An attacker can direct the agent to create a symbolic link (symlink) within the project directory that points to an external file. If Cursor’s canonicalization process fails—due to the target not existing or lacking read permissions—the agent defaults to trusting the original, unvalidated symlink path. This oversight allows attackers to overwrite critical files, such as the cursorsandbox helper, achieving privileged RCE without any user interaction.

These vulnerabilities are particularly concerning because they can be triggered without user privileges or deliberate interaction. A victim merely needs to issue a prompt that inadvertently processes attacker-controlled content from an untrusted source, such as a compromised Model Context Protocol (MCP) server response or a malicious web search result.

Cursor IDE version 2.x automatically runs agent terminal commands inside a sandbox without prompting for approval. This design aims to reduce approval fatigue while limiting the escalation potential of simple prompt injections. However, the discovery of these vulnerabilities underscores that sandboxing alone is insufficient to contain autonomous coding agents when parameter validation and path-resolution edge cases remain exploitable through prompt injection.

In response to these findings, Cato AI Labs is continuing responsible disclosure across other popular coding agents. This initiative signals the need for systemic, architecture-level defenses rather than isolated patches to secure AI-driven development tools effectively.

The emergence of these vulnerabilities highlights the evolving nature of security threats in AI-powered development environments. As these tools become more integrated into critical workflows, it is imperative for developers and organizations to adopt comprehensive security measures that address both traditional and novel attack vectors. Continuous vigilance and proactive security practices are essential to safeguard against the exploitation of such vulnerabilities.