Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Critical Cursor AI Code Editor Flaws Could Lead to OS-Level Remote Code Execution
Critical Cursor AI Code Editor Flaws Could Lead to OS-Level Remote Code Execution
NEWS

Critical Cursor AI Code Editor Flaws Could Lead to OS-Level Remote Code Execution

Two critical vulnerabilities (CVE-2026-50548, CVE-2026-50549) dubbed DuneSlide allow zero-click prompt injection attacks to escape Cursor IDE's sandbox...

Dylan H.

News Desk

July 3, 2026
4 min read

Researchers at Cato AI Labs have disclosed two critical vulnerabilities in the Cursor AI code editor that allow a prompt injection attack to fully escape the application sandbox and execute arbitrary OS-level commands on the developer's machine — with no clicks required from the victim.

The vulnerability pair, nicknamed DuneSlide, carries CVSS scores of 9.8 (Critical) for both CVE-2026-50548 and CVE-2026-50549. All Cursor versions prior to 3.0 are affected.

What Is DuneSlide?

DuneSlide is a two-vulnerability chain discovered by Cato AI Labs (a research division of Cato Networks). Both flaws exploit weaknesses in how Cursor validates write paths before allowing its AI agent to modify files. Injecting a malicious payload through a poisoned MCP server response or a web search result — without any additional user interaction — is enough to trigger either vulnerability.

The end result is the same in both cases: the attacker overwrites the cursorsandbox binary, the process responsible for enforcing Cursor's write isolation. Once that binary is replaced, all subsequent AI agent commands execute directly on the underlying OS with no sandboxing in place.

CVE-2026-50548 — Working Directory Abuse

Cursor's run_terminal_cmd tool accepts an optional working_directory parameter. When an AI agent sets this parameter to a path outside the project directory, Cursor automatically adds that path to the sandbox's allowed-write list without further validation.

A prompt injection that steers the agent to specify a system-level working directory — such as the directory containing cursorsandbox itself — lets an attacker silently write to locations that should be off limits, including the sandbox binary.

CVE-2026-50549 — Symlink Canonicalization Bypass

Before writing a file, Cursor resolves symlinks to confirm the real destination is inside the project. When that resolution fails — because the target doesn't exist or a directory in the path has restricted read permissions — Cursor falls back to trusting the unvalidated original symlink path.

A prompt injection can direct the agent to create a symlink inside the project directory pointing at an external system file, then deliberately trigger a canonicalization failure so the write proceeds unchecked.

Attack Flow

1. Developer makes a routine request to the Cursor AI agent
2. Agent fetches a web search result or queries a connected MCP server
3. The response contains a hidden prompt injection payload
4. Payload steers the agent to set a malicious working_directory
   — or to create a symlink and cause canonicalization to fail
5. Cursor overwrites /Applications/Cursor.app/.../cursorsandbox
6. All subsequent agent commands run unsandboxed on the OS
7. Full developer machine compromise — credentials, source code, SaaS tokens

No user interaction beyond the original prompt is needed.

Scope of Impact

Cursor is used by more than half of Fortune 500 companies. The attack surface is particularly broad because the injection can arrive through:

  • Official MCP server integrations — including connectors like the Linear MCP server
  • Web search results ingested by the agent during routine tasks

Cato AI Labs confirmed no in-the-wild exploitation prior to public disclosure on July 1, 2026.

Disclosure Timeline

DateEvent
Feb 19, 2026Cato AI Labs privately reported both flaws to Cursor
Feb 23, 2026Cursor initially rejected the report — claimed MCP misuse was outside their threat model
Feb 26, 2026Cato escalated; Cursor reopened the issue for triage
Apr 1–2, 2026Both flaws patched in Cursor 3.0
Jun 1, 2026Cursor confirmed symlink fix
Jun 5, 2026CVE IDs assigned
Jul 1, 2026Cato AI Labs published full public disclosure

Remediation

Update Cursor to version 3.0 or later. This is the only complete fix.

While waiting to update, reduce your exposure:

  • Audit MCP server installations — remove or disable any you did not explicitly install or cannot verify as trusted
  • Enable Workspace Trust in Cursor settings
  • Set task.allowAutomaticTasks: "off" to limit unsupervised agent task execution
  • Be cautious about agent tasks that involve web searches in untrusted environments

Broader Implications

Cursor initially rejected the vulnerability report on the grounds that its threat model didn't include MCP server misuse — even from official integrations. That position has since been reversed, but it highlights a structural gap in how AI coding assistants reason about trust boundaries.

Cato AI Labs has stated it is continuing to audit similar structural flaws in other AI coding agents, suggesting DuneSlide may not be an isolated case.


References

  • DuneSlide: Two Critical RCE Vulnerabilities via Zero-Click Prompt Injection in Cursor IDE — Cato Networks
  • Critical Cursor Flaws Could Let Prompt Injection Escape Sandbox — The Hacker News
  • Sandbox Bypass Flaws in Cursor IDE Highlight Prompt Injection as an RCE Vector — CSO Online
#Cursor IDE#RCE#Prompt Injection#Vulnerability#CVE-2026-50548#CVE-2026-50549#AI Security

Related Articles

Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints

Threat actors are actively weaponizing CVE-2026-33017, a critical unauthenticated RCE flaw in Langflow, to deploy a Monero miner via the lambsys...

6 min read

Unpatched Langflow Flaw CVE-2026-5027 Exploited for Unauthenticated RCE

A high-severity path traversal flaw (CVE-2026-5027, CVSS 8.8) in the AI application builder Langflow is being actively exploited with no patch available....

5 min read

Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479)

Redis has patched a use-after-free vulnerability in its blocking-client code that allows authenticated users to execute arbitrary OS commands on the database…

6 min read
Back to all News