Researchers at Cato AI Labs have disclosed two critical vulnerabilities in the Cursor AI code editor that allow a prompt injection attack to fully escape the application sandbox and execute arbitrary OS-level commands on the developer's machine — with no clicks required from the victim.
The vulnerability pair, nicknamed DuneSlide, carries CVSS scores of 9.8 (Critical) for both CVE-2026-50548 and CVE-2026-50549. All Cursor versions prior to 3.0 are affected.
What Is DuneSlide?
DuneSlide is a two-vulnerability chain discovered by Cato AI Labs (a research division of Cato Networks). Both flaws exploit weaknesses in how Cursor validates write paths before allowing its AI agent to modify files. Injecting a malicious payload through a poisoned MCP server response or a web search result — without any additional user interaction — is enough to trigger either vulnerability.
The end result is the same in both cases: the attacker overwrites the cursorsandbox binary, the process responsible for enforcing Cursor's write isolation. Once that binary is replaced, all subsequent AI agent commands execute directly on the underlying OS with no sandboxing in place.
CVE-2026-50548 — Working Directory Abuse
Cursor's run_terminal_cmd tool accepts an optional working_directory parameter. When an AI agent sets this parameter to a path outside the project directory, Cursor automatically adds that path to the sandbox's allowed-write list without further validation.
A prompt injection that steers the agent to specify a system-level working directory — such as the directory containing cursorsandbox itself — lets an attacker silently write to locations that should be off limits, including the sandbox binary.
CVE-2026-50549 — Symlink Canonicalization Bypass
Before writing a file, Cursor resolves symlinks to confirm the real destination is inside the project. When that resolution fails — because the target doesn't exist or a directory in the path has restricted read permissions — Cursor falls back to trusting the unvalidated original symlink path.
A prompt injection can direct the agent to create a symlink inside the project directory pointing at an external system file, then deliberately trigger a canonicalization failure so the write proceeds unchecked.
Attack Flow
1. Developer makes a routine request to the Cursor AI agent
2. Agent fetches a web search result or queries a connected MCP server
3. The response contains a hidden prompt injection payload
4. Payload steers the agent to set a malicious working_directory
— or to create a symlink and cause canonicalization to fail
5. Cursor overwrites /Applications/Cursor.app/.../cursorsandbox
6. All subsequent agent commands run unsandboxed on the OS
7. Full developer machine compromise — credentials, source code, SaaS tokensNo user interaction beyond the original prompt is needed.
Scope of Impact
Cursor is used by more than half of Fortune 500 companies. The attack surface is particularly broad because the injection can arrive through:
- Official MCP server integrations — including connectors like the Linear MCP server
- Web search results ingested by the agent during routine tasks
Cato AI Labs confirmed no in-the-wild exploitation prior to public disclosure on July 1, 2026.
Disclosure Timeline
| Date | Event |
|---|---|
| Feb 19, 2026 | Cato AI Labs privately reported both flaws to Cursor |
| Feb 23, 2026 | Cursor initially rejected the report — claimed MCP misuse was outside their threat model |
| Feb 26, 2026 | Cato escalated; Cursor reopened the issue for triage |
| Apr 1–2, 2026 | Both flaws patched in Cursor 3.0 |
| Jun 1, 2026 | Cursor confirmed symlink fix |
| Jun 5, 2026 | CVE IDs assigned |
| Jul 1, 2026 | Cato AI Labs published full public disclosure |
Remediation
Update Cursor to version 3.0 or later. This is the only complete fix.
While waiting to update, reduce your exposure:
- Audit MCP server installations — remove or disable any you did not explicitly install or cannot verify as trusted
- Enable Workspace Trust in Cursor settings
- Set
task.allowAutomaticTasks: "off"to limit unsupervised agent task execution - Be cautious about agent tasks that involve web searches in untrusted environments
Broader Implications
Cursor initially rejected the vulnerability report on the grounds that its threat model didn't include MCP server misuse — even from official integrations. That position has since been reversed, but it highlights a structural gap in how AI coding assistants reason about trust boundaries.
Cato AI Labs has stated it is continuing to audit similar structural flaws in other AI coding agents, suggesting DuneSlide may not be an isolated case.