Recent discoveries have unveiled two critical vulnerabilities in Cursor, an AI-powered code editor, that could enable attackers to execute arbitrary commands on a developer’s machine through a single, seemingly innocuous prompt. These flaws, identified by Cato AI Labs and collectively named ‘DuneSlide,’ are cataloged as CVE-2026-50548 and CVE-2026-50549, each carrying a severity rating of 9.8 out of 10.
Cursor’s developers have addressed these issues in version 3.0, released on April 2, 2026. Users operating versions prior to 3.0 are urged to update immediately, especially considering that over half of the Fortune 500 companies utilize this tool.
Understanding the Sandbox Mechanism and Its Breach
In its 2.x series, Cursor introduced a sandbox environment designed to confine terminal commands issued by its AI agent, thereby preventing unintended system modifications. The DuneSlide vulnerabilities exploit this protective measure through prompt injection techniques, allowing malicious commands to escape the sandbox and execute on the host system.
Attackers can embed harmful instructions within data sources that the AI agent processes, such as services connected via the Model Context Protocol (MCP) or web search results. When a developer poses a standard query, these concealed commands are executed without requiring any additional user interaction, classifying the attack as ‘zero-click.’
Both vulnerabilities manipulate the system to write files outside the intended boundaries, effectively disabling the sandbox:
- CVE-2026-50548: This flaw exploits the ‘working_directory’ parameter in Cursor’s ‘run_terminal_cmd’ tool. By directing this parameter to a system file instead of the project directory, the attacker can overwrite critical components, such as the sandbox helper, thereby deactivating the sandbox.
- CVE-2026-50549: This issue leverages symbolic links (symlinks) and Cursor’s fallback mechanisms. By creating a symlink that points outside the project and inducing a failure in the path resolution process, the attacker can trick Cursor into writing to unintended locations, including the sandbox helper, thus compromising the sandbox’s integrity.
Once the sandbox is compromised, subsequent commands execute with the developer’s privileges, granting attackers potential control over the machine and access to associated cloud or SaaS environments linked to the editor.
Historical Context and Ongoing Challenges
The DuneSlide vulnerabilities are part of a series of security issues identified in Cursor:
- CurXecute (CVE-2025-54135): Discovered in August 2025, this flaw allowed attackers to modify Cursor’s configuration and execute commands even after user rejection. It was addressed in version 1.3.
- MCPoison (CVE-2025-54136): Identified by Check Point Research, this vulnerability enabled attackers to gain initial approval for an MCP configuration and subsequently inject malicious commands without further prompts.
- CVE-2026-26268: Reported in February 2026, this issue involved malicious Git hooks that executed upon the AI agent’s interaction with a repository, leading to unintended command execution. It was patched in version 2.5.
In response to these recurring threats, Cursor implemented the sandbox feature in its 2.x versions. However, the emergence of DuneSlide underscores the persistent challenges in securing AI-driven development tools against sophisticated prompt injection attacks.
While there is no evidence of these vulnerabilities being exploited in real-world attacks, their existence highlights the critical need for developers to maintain updated software and remain vigilant against evolving security threats. The rapid advancement of AI in development environments necessitates continuous scrutiny and enhancement of security measures to safeguard against potential exploits.