Security researchers at Cato AI Labs have disclosed two critical vulnerabilities in Cursor IDE that allow attackers to bypass the platform's sandbox protections and achieve full remote code execution (RCE).

The vulnerabilities, collectively dubbed DuneSlide, have been assigned:

  • CVE-2026-50548 (CVSS 9.8)
  • CVE-2026-50549 (CVSS 9.8)

Both flaws affect Cursor IDE 2.x and demonstrate how prompt injection attacks can extend beyond manipulating AI responses and directly impact underlying system-level functionality.

What Makes DuneSlide Dangerous?

Cursor IDE automatically executes agent terminal commands inside a sandbox to reduce approval fatigue and limit the impact of malicious prompts.

However, researchers discovered that prompt injection can manipulate the agent into abusing trusted functionality, ultimately escaping the sandbox entirely.

An attacker only needs to influence content that the AI agent consumes, such as:

  • Malicious MCP server responses
  • Poisoned web search results
  • Untrusted documentation
  • Third-party content ingested by the AI assistant

No elevated privileges or explicit user approval are required.

Once exploited, attackers can overwrite critical system files and transform sandboxed commands into fully unsandboxed execution.

CVE-2026-50548: Working Directory Manipulation

The first vulnerability exploits Cursor's handling of the working_directory parameter used by the run_terminal_cmd tool.

Because this parameter is controlled by the AI model, a prompt injection can force the agent to execute commands from attacker-selected directories outside the intended project scope.

This enables writes to sensitive locations such as:

/Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox

as well as user persistence locations like:

~/.zshrc
~/Library/LaunchAgents

By modifying the cursorsandbox helper itself, attackers can effectively disable sandbox protections for future commands.

CVE-2026-50549: Symlink Canonicalization Bypass

The second flaw abuses Cursor's path validation process.

Researchers found that an attacker can:

  1. Create a symlink inside the project directory.
  2. Point it to a file outside the project boundary.
  3. Trigger a failure in Cursor's canonicalization process.
  4. Force Cursor to trust the original symlink path.

As a result, out-of-bounds write protections can be bypassed.

Attackers can then overwrite sensitive files, including the cursorsandbox binary, resulting in privileged code execution.

Potential Impact

Successful exploitation can lead to:

  • Complete sandbox escape
  • Arbitrary code execution
  • System compromise
  • Persistence installation
  • Modification of user shell profiles
  • Compromise of connected SaaS environments
  • Unauthorized access to development workflows

Because Cursor is widely used across enterprise environments, the impact could extend beyond individual developer workstations.

Key Takeaways

The DuneSlide vulnerabilities highlight a growing challenge in AI-powered development tools:

Sandboxing alone is not enough when AI agents can influence parameters that control file access and execution behavior.

Researchers warn that prompt injection attacks are increasingly capable of reaching traditional software attack surfaces, creating risks that extend far beyond manipulated AI output.

Cato AI Labs stated that it is continuing to investigate similar issues across other AI coding assistants and believes stronger architectural protections will be required to secure autonomous development environments.