LIVE FEED
HIGH DeepSeek Turns LLM Hallucination Into Working Browser-Only Ransomware Technique // CRITICAL Prompt Injection Chain Breaks Cursor AI Sandbox, Enables Full RCE // FIRST LOOK First Look: Open-Source Tool Lets Claude and Any LLM Watch Videos Locally // FIRST LOOK First Look: Enterprise IGA Platforms Expose Structural Gaps as AI Agents Proliferate // HIGH Claude Opus 4.7 Used to Discover Critical API Flaw in Major Ticketing Platform // FIRST LOOK Anthropic's Mythos AI Vulnerability Discovery Tool Pairs with IBM Project Lightwell // CRITICAL AI Agent Autonomously Executes Full Ransomware Attack Chain via Langflow RCE // HIGH LLM Hallucinated Domains Create Exploitable Supply Chain Attack Surface // FIRST LOOK First Look: Google Launches Gemini Spark Agentic Assistant on Mac with File and App Access // FIRST LOOK First Look: AWS Brings NVIDIA Nemotron and OpenAI GPT OSS Models to GovCloud //
ATLAS OWASP CRITICAL Active exploitation · Immediate action required RELEVANCE ▲ 9.2

Prompt Injection Chain Breaks Cursor AI Sandbox, Enables Full RCE

TL;DR CRITICAL
  • What happened: Two critical Cursor IDE flaws let prompt injection escape the AI sandbox and run arbitrary commands.
  • Who's at risk: Developers using Cursor versions prior to 3.0, especially enterprise users with cloud or SaaS workspaces connected to the editor.
  • Act now: Update Cursor to version 3.0 or later immediately · Audit MCP-connected services and restrict agent access to external or untrusted data sources · Review terminal command logs for anomalous working_directory values or unexpected symlink usage
Prompt Injection Chain Breaks Cursor AI Sandbox, Enables Full RCE

Overview

Cato AI Labs has disclosed a critical vulnerability chain — dubbed DuneSlide — affecting the Cursor AI code editor, tracked as CVE-2026-50548 and CVE-2026-50549 (CVSS 9.8 / 9.3 under CVSS 4.0). The pair of flaws allow an attacker-controlled prompt, planted in an external data source the AI agent reads on behalf of a developer, to silently escape Cursor’s terminal sandbox and execute arbitrary operating system commands. No user interaction is required beyond the developer’s normal workflow — making this a zero-click attack vector.

Cursor’s maker reports adoption across more than half of Fortune 500 companies. A patch is available in Cursor 3.0, released April 2, 2026. All prior versions are affected.


Technical Analysis

Cursor’s 2.x line introduced a default sandbox that restricts what commands issued by its AI agent can touch on the filesystem. DuneSlide breaks that containment through two distinct but mechanically similar paths:

CVE-2026-50548 — Working Directory Abuse

Cursor’s run_terminal_cmd tool accepts an optional working_directory parameter. The sandbox permits writes within a command’s working folder and automatically adds that path to the allowed-write list. Injected instructions set working_directory to a sensitive system path — such as the Cursor sandbox helper binary (/Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox) or a shell startup file like ~/.zshrc. Cursor adds the attacker-specified path to the allowlist without validation, and the agent overwrites the target, disabling sandbox enforcement for all subsequent commands.

CVE-2026-50549 — Symlink Resolution Fallback

Before writing a file, Cursor resolves symlinks to confirm the real destination resides inside the project directory. The vulnerability is in the error handling: if resolution fails — because the target does not exist or read access on a path component has been revoked — Cursor falls back to trusting the symlink’s apparent in-project path. An attacker crafts a symlink that appears to point inside the project but resolves to the same sandbox helper. By engineering a resolution failure at check time, the write proceeds unchallenged through the symlink to the external target.

In both cases, once the sandbox helper is neutralised, the next agent-issued terminal command runs with the developer’s full OS privileges.

Delivery mechanism: Injected instructions are embedded in content the agent fetches autonomously — MCP-connected services, web search results, or repository files. The developer triggers the chain simply by asking a routine question.


Framework Mapping

FrameworkTechniqueRationale
MITRE ATLASAML.T0051 — LLM Prompt InjectionCore delivery mechanism via external data sources
MITRE ATLASAML.T0047 — ML-Enabled Product or ServiceCursor as the exploited AI-integrated product
MITRE ATLASAML.T0043 — Craft Adversarial DataAttacker-crafted content designed to manipulate agent behaviour
OWASP LLM01Prompt InjectionCanonical prompt injection via indirect data channel
OWASP LLM08Excessive AgencyAgent executes filesystem and terminal actions with insufficient constraint
OWASP LLM07Insecure Plugin DesignMCP integration surface exposes agent to untrusted input

Impact Assessment

Successful exploitation grants full shell access on the developer’s machine under their own credentials. Any cloud platforms, SaaS workspaces, or code repositories the editor session is authenticated to are consequently exposed. The zero-click nature and the legitimacy of the triggering workflow (a normal developer query) make detection and prevention particularly difficult at the endpoint level. Enterprise environments with broad Cursor adoption face compounded supply chain risk if compromised developer machines access shared infrastructure.

No known in-the-wild exploitation has been reported as of publication.


Mitigation & Recommendations

  • Update immediately: Upgrade to Cursor 3.0 or later. All earlier versions are vulnerable.
  • Restrict MCP surface: Limit agent integrations to trusted, well-scoped MCP services; disable connections to public or untrusted external sources where possible.
  • Apply least-privilege principles: Ensure the Cursor process operates under a user account with minimal necessary filesystem and cloud permissions.
  • Audit agent activity: Review terminal command logs for anomalous working_directory values or unexpected symlink creation in project directories.
  • Treat external agent inputs as untrusted: Any content fetched autonomously by an AI agent — web pages, API responses, file contents — should be treated as a potential injection vector in your threat model.

References

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.