DuneSlide Flaws Let Prompt Injection Break Cursor AI Sandbox

Cato AI Labs disclosed CVE-2026-50548 and CVE-2026-50549 in Cursor IDE, CVSS 9.8 flaws enabling zero-click prompt injection to escape the sandbox and execute system commands.
Table of Contents
    Add a header to begin generating the table of contents

    Cato AI Labs disclosed two critical vulnerabilities in the Cursor AI code editor — collectively named DuneSlide — that allow prompt injection attacks to escape the editor’s sandboxed execution environment and run arbitrary system commands without any user interaction or manual approval. CVE-2026-50548 and CVE-2026-50549, both rated CVSS 9.8, affect all Cursor IDE versions before 3.0. A patch is available: Cursor 3.0, released April 2, 2026, resolves both vulnerabilities. Users running any earlier version are at immediate risk and should update now.

    How DuneSlide’s Prompt Injection Chain Bypasses Cursor’s Sandbox Controls

    The DuneSlide attack exploits the way Cursor’s AI model processes content from files it accesses during normal developer workflows. When a developer opens a repository, processes a README, or accesses documentation within Cursor, the AI model reads and interprets that content as part of its assistance workflow. If an attacker embeds malicious instructions — crafted as prompt injection payloads — within a code comment, documentation file, or repository README, the AI model processes those instructions as directives and executes the attacker’s commands rather than simply reading the text. The sandbox bypass converts this injection into arbitrary system command execution, exposing the developer’s operating system, not just the editor, to attacker control.

    CVE-2026-50548: How Cursor’s Terminal Tool Accepts Attacker-Controlled File Paths

    CVE-2026-50548 exploits a flaw in Cursor’s run_terminal_cmd tool. When this tool is invoked, it allows the sandbox to write to any attacker-specified working_directory path, and that path is then added to the allowed-write list without validation. This bypasses the sandbox’s filesystem write restrictions entirely: an attacker who controls the working_directory value through a prompt injection payload can direct writes to any location on the system outside the project boundary. The lack of validation on the path parameter means the sandbox’s own add-to-allowed-list mechanism becomes the vector for escaping the sandbox’s restrictions.

    CVE-2026-50549: Symlink Validation Failure That Opens Arbitrary Write Access

    CVE-2026-50549 targets Cursor’s pre-write symlink validation logic. When a target path does not exist or read access to a folder in the path has been removed, Cursor’s validation falls back to incorrectly trusting a symlink’s apparent in-project path — even when that path points outside the project filesystem boundary. This fallback failure allows writes to arbitrary locations outside the project directory. Together, CVE-2026-50548 and CVE-2026-50549 provide two independent paths to the same outcome: arbitrary filesystem write leading to code execution, with both rated CVSS 9.8 to reflect the complete loss of sandbox protection they enable.

    The Zero-Click Attack Path: Why No Developer Action Is Required

    The most operationally significant aspect of DuneSlide is that no deliberate user interaction is required beyond the act of opening or processing attacker-controlled content. The attack is described by Cato AI Labs as “zero-click” in the sense that it requires only an innocuous prompt from the victim that causes the AI agent to ingest an attacker-controlled payload from an MCP server or web search result — the payload then activates the exploit chain silently. Cursor’s AI model automatically processes file content during normal editor usage; developers do not need to explicitly invoke any AI feature or approve any action for the injection to trigger.

    The Attack Surface: Malicious Repositories, Compromised Dependencies, and Web Search Results

    The delivery paths for DuneSlide payloads include any content the developer opens or accesses in Cursor: a malicious public repository, a crafted dependency pulled during development, a compromised shared codebase, a README in an open-source project, or attacker-controlled content returned in a web search result that Cursor’s agent ingests. Cursor’s deep integration with developer workflows means the tool has legitimate access to file systems, terminal sessions, and development infrastructure — credentials, environment files, API keys, and infrastructure configuration are all within the blast radius of a successful DuneSlide exploitation. The potential impact includes credential theft from development environments, source code exfiltration, and supply chain compromise through developer machines that have authenticated access to internal code repositories and production deployment pipelines.

    Patching DuneSlide: Cursor 3.0 Is the Required Update

    All Cursor IDE versions before 3.0 are vulnerable to CVE-2026-50548 and CVE-2026-50549. Cato AI Labs published the full technical disclosure on July 1, 2026; the patch was already available in Cursor 3.0, released April 2, 2026 — meaning users who remained on older versions after April 2 were running vulnerable software during the period between the patch release and the public CVE disclosure. Developers should update to Cursor 3.0 immediately. Until the update is applied, developers should treat any unexpected terminal activity or file system changes occurring after opening new content as a potential indicator of DuneSlide exploitation.

    Related Posts