Cursor — DuneSlide: Two Zero-Click RCEs Let Prompt Injection Escape the Sandbox
AI relevance: Cursor's agent mode auto-runs terminal commands inside a sandbox without user approval — a design choice that turns a prompt injection via poisoned MCP response or search result into full unsandboxed RCE on developer machines.
What happened
- Cato AI Labs disclosed two critical RCE vulnerabilities in Cursor IDE, collectively dubbed DuneSlide: CVE-2026-50548 and CVE-2026-50549.
- Both carry a CVSS 9.8 severity score (9.3 under CVSS 4.0) and require zero user interaction — the victim only needs to issue an ordinary prompt that inadvertently ingests attacker-controlled content.
- Cursor 2.x runs agent terminal commands inside a sandbox automatically, without prompting for approval, to reduce approval fatigue. DuneSlide bypasses that sandbox entirely.
- CVE-2026-50548 (Working Directory Manipulation): The sandbox grants write access to the command's working directory, which is an LLM-controlled parameter. A prompt injection steers the agent to set
working_directoryto a path outside the project root — for example, the Cursor.app bundle — and overwrites thecursorsandboxhelper binary. - CVE-2026-50549 (Symlink Canonicalization Bypass): A prompt injection directs the agent to create a symlink inside the project pointing to an external file. When Cursor's canonicalization step fails (target doesn't exist or lacks read permissions), it falls back to trusting the unvalidated symlink path, bypassing out-of-bounds write checks.
- Both paths lead to overwriting
/Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox, converting subsequent sandboxed terminal commands into fully unsandboxed RCE. - Attackers can also target
~/.zshrcor~/Library/LaunchAgentsfor persistence across sessions. - Cursor is used by more than half of Fortune 500 companies, making the blast radius of these flaws significant in enterprise dev environments.
Why it matters
DuneSlide demonstrates that sandboxing alone cannot contain autonomous coding agents when parameter validation and path-resolution edge cases remain exploitable through prompt injection. The attack chain — prompt injection → LLM-controlled parameter → filesystem write → sandbox binary overwrite — is not specific to Cursor. Any AI coding tool that auto-executes commands in a sandbox with LLM-influenced parameters faces the same structural risk. Cato AI Labs states it is continuing responsible disclosure across other popular coding agents, signaling that systemic, architecture-level defenses are needed.
What to do
- Update Cursor to the latest version immediately — patches address both the working-directory validation and symlink canonicalization logic.
- Audit MCP server trust: restrict which MCP servers your agent can query; treat all MCP responses as untrusted input that could carry prompt injection payloads.
- Review sandbox designs in any AI coding tool: ensure LLM-controlled parameters (working directory, file paths, tool arguments) cannot influence writes outside intended boundaries.
- Monitor for indicators: check for unexpected modifications to
cursorsandbox,~/.zshrc, or LaunchAgents on developer machines.