Overview
Cato AI Labs has disclosed a critical vulnerability chain — dubbed DuneSlide — affecting the Cursor AI code editor, tracked as CVE-2026-50548 and CVE-2026-50549 (CVSS 9.8 / 9.3 under CVSS 4.0). The pair of flaws allow an attacker-controlled prompt, planted in an external data source the AI agent reads on behalf of a developer, to silently escape Cursor’s terminal sandbox and execute arbitrary operating system commands. No user interaction is required beyond the developer’s normal workflow — making this a zero-click attack vector.
Cursor’s maker reports adoption across more than half of Fortune 500 companies. A patch is available in Cursor 3.0, released April 2, 2026. All prior versions are affected.
Technical Analysis
Cursor’s 2.x line introduced a default sandbox that restricts what commands issued by its AI agent can touch on the filesystem. DuneSlide breaks that containment through two distinct but mechanically similar paths:
CVE-2026-50548 — Working Directory Abuse
Cursor’s run_terminal_cmd tool accepts an optional working_directory parameter. The sandbox permits writes within a command’s working folder and automatically adds that path to the allowed-write list. Injected instructions set working_directory to a sensitive system path — such as the Cursor sandbox helper binary (/Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox) or a shell startup file like ~/.zshrc. Cursor adds the attacker-specified path to the allowlist without validation, and the agent overwrites the target, disabling sandbox enforcement for all subsequent commands.
CVE-2026-50549 — Symlink Resolution Fallback
Before writing a file, Cursor resolves symlinks to confirm the real destination resides inside the project directory. The vulnerability is in the error handling: if resolution fails — because the target does not exist or read access on a path component has been revoked — Cursor falls back to trusting the symlink’s apparent in-project path. An attacker crafts a symlink that appears to point inside the project but resolves to the same sandbox helper. By engineering a resolution failure at check time, the write proceeds unchallenged through the symlink to the external target.
In both cases, once the sandbox helper is neutralised, the next agent-issued terminal command runs with the developer’s full OS privileges.
Delivery mechanism: Injected instructions are embedded in content the agent fetches autonomously — MCP-connected services, web search results, or repository files. The developer triggers the chain simply by asking a routine question.
Framework Mapping
| Framework | Technique | Rationale |
|---|---|---|
| MITRE ATLAS | AML.T0051 — LLM Prompt Injection | Core delivery mechanism via external data sources |
| MITRE ATLAS | AML.T0047 — ML-Enabled Product or Service | Cursor as the exploited AI-integrated product |
| MITRE ATLAS | AML.T0043 — Craft Adversarial Data | Attacker-crafted content designed to manipulate agent behaviour |
| OWASP LLM01 | Prompt Injection | Canonical prompt injection via indirect data channel |
| OWASP LLM08 | Excessive Agency | Agent executes filesystem and terminal actions with insufficient constraint |
| OWASP LLM07 | Insecure Plugin Design | MCP integration surface exposes agent to untrusted input |
Impact Assessment
Successful exploitation grants full shell access on the developer’s machine under their own credentials. Any cloud platforms, SaaS workspaces, or code repositories the editor session is authenticated to are consequently exposed. The zero-click nature and the legitimacy of the triggering workflow (a normal developer query) make detection and prevention particularly difficult at the endpoint level. Enterprise environments with broad Cursor adoption face compounded supply chain risk if compromised developer machines access shared infrastructure.
No known in-the-wild exploitation has been reported as of publication.
Mitigation & Recommendations
- Update immediately: Upgrade to Cursor 3.0 or later. All earlier versions are vulnerable.
- Restrict MCP surface: Limit agent integrations to trusted, well-scoped MCP services; disable connections to public or untrusted external sources where possible.
- Apply least-privilege principles: Ensure the Cursor process operates under a user account with minimal necessary filesystem and cloud permissions.
- Audit agent activity: Review terminal command logs for anomalous
working_directoryvalues or unexpected symlink creation in project directories. - Treat external agent inputs as untrusted: Any content fetched autonomously by an AI agent — web pages, API responses, file contents — should be treated as a potential injection vector in your threat model.