Two flaws, tracked as CVE-2026-50548 and CVE-2026-50549 and collectively named DuneSlide by Cato AI Labs, could let a single, ordinary-looking prompt break out of Cursor's safety sandbox and run any command on a developer's computer, researchers warn.
DuneSlide: the essentials
Cato AI Labs discovered the pair and gave them the name DuneSlide. Both are high-severity flaws — rated 9.8 out of 10 (9.3 under CVSS 4.0) — that affect every Cursor release before Cursor 3.0. The vendor shipped the patch in Cursor 3.0 on April 2. Cursor's maker says more than half the Fortune 500 use the tool, and the public advisory bluntly concludes: if you run it, update now.
Cursor's sandbox and the Model Context Protocol (MCP)
Cursor introduced a sandbox in the 2.x line to run terminal commands its AI agent issues inside a locked box that limits what those commands can touch. The sandbox was designed to stop a stray instruction from wrecking the machine. DuneSlide bypasses that safeguard through prompt injection: attacker-controlled instructions hidden in content the agent reads on the user's behalf, for example from a connected service reached via the Model Context Protocol (MCP) or from a web search result. Because the agent reads that content automatically, the attack requires no click or approval — a so-called "zero-click" escape.
Two doors, the same escape: working_directory and symlink fallback
- CVE-2026-50548 abuses a setting. Cursor's run_terminal_cmd tool accepts an optional parameter, working_directory, and the sandbox permits writes into a command's working folder. When the agent sets working_directory to a non-default path, Cursor adds that path to the allowed-write list without additional validation. Injected instructions can point that parameter at a system file instead of the project. Overwriting the sandbox helper itself (for example, on macOS at /Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox) or startup files such as ~/.zshrc lets later commands run with no sandbox at all.
- CVE-2026-50549 abuses a symlink safety check. Before writing, Cursor attempts to resolve symlinks to confirm the real destination is inside the project. If that resolution fails — because the target does not exist, or an attacker removes read access from a folder in the path — Cursor falls back and trusts the shortcut's on-path location instead. An attacker can create a shortcut that points outside the project, force the resolution to fail, and cause Cursor to write straight through the symlink to the same sandbox helper. Same end: the sandbox is neutralized and the next command runs as the user.
Timeline: discovery, rejection, escalation, and patch
Cato reported both issues to Cursor on February 19. According to Cato's account, Cursor rejected the reports four days later, saying its threat model did not cover misuse of MCP servers, even standard ones such as the official Linear workspace. Cato escalated the report on February 26; Cursor then reopened the reports, triaged them, and shipped fixes in Cursor 3.0 on April 2. The CVE identifiers were assigned on June 5. Cursor also published its own advisory for the symlink bug and an NVD record is live. Cato presented its work as research, and the public vulnerability record shows no known exploitation as of publication.
What this means for developers, affected enterprises, and adversaries
- Developers and security teams: if you run any Cursor release before 3.0, the vendor advisory and public reporting converge on one action — update to Cursor 3.0. The attack path is a single injected prompt that can be carried by any input the agent reads automatically, so teams should treat agent-facing inputs (MCP-connected services, web search results, repository content) as hostile until patched controls are confirmed.
- Affected enterprises and procurement leaders: Cursor's maker reports more than half the Fortune 500 use the tool, so organizational exposure is broad. Enterprises should verify Cursor versions across developer endpoints and cloud or SaaS workspaces the editor is signed into; once the sandbox is neutralized, a compromised agent can reach any cloud or service account the editor has access to.
- Adversaries and threat actors: the exploit model is attractive because it is zero-click — an attacker can plant instructions in an MCP-connected workspace, search result, or repository content and rely on the agent to read and act without a user prompt. Cato also says it is disclosing similar flaws in other coding agents and frames the problem as structural, not a string of isolated mistakes.
DuneSlide is the latest in a series of Cursor vulnerabilities that begin with a poisoned prompt and end in code execution. Earlier entries include CurXecute (CVE-2025-54135, August 2025), where a planted Slack message rewrote Cursor's ~/.cursor/mcp.json and ran commands even after the user rejected the edit (fixed in 1.3); MCPoison (CVE-2025-54136) from Check Point Research, which lets an attacker get an MCP config approved once and then swap in malicious commands with no second prompt; and CVE-2026-26268 (February 2026), which hid a booby-trapped Git hook that fired when the agent ran a Git command (patched in 2.5). Cursor's 2.x sandbox was a direct response to that earlier wave — and DuneSlide shows how attackers can find new ways out.
Cursor's April patch closes the immediate door. The broader question Cato leaves on the table is whether vendors that build agents which read the open web will treat every input as hostile by default — a defensive posture that would be structural and broad — or continue to patch one dangerous interaction at a time. For organizations that rely on Cursor, the immediate, factual answer is simple and urgent: versions before 3.0 are affected; update now.




