Cursor AI Flaws Let Prompt Injection Escape Sandbox for RCE
Two CVSS 9.8 vulnerabilities in the popular AI code editor allow zero-click attacks where malicious instructions in external data sources execute arbitrary commands on developer machines.
Prompt injection isn't just a chatbot problem anymore. Two critical vulnerabilities in Cursor, the AI-powered code editor that claims more than half the Fortune 500 as users, allow attackers to break out of the editor's security sandbox and execute arbitrary commands on developer machines. No clicks required from the victim.
Cato AI Labs disclosed the flaws, tracked as CVE-2026-50548 and CVE-2026-50549, and collectively named them DuneSlide. Both score 9.8 on CVSS 3.1 (9.3 under CVSS 4.0). Cursor patched them in version 3.0, released April 2—every earlier version remains vulnerable.
Zero-Click Exploitation
The attack vector is prompt injection, but the payload delivery doesn't require the victim to type anything malicious. Attackers embed instructions inside data sources that Cursor's AI agent reads on behalf of users: responses from Model Context Protocol (MCP) servers, results from web searches, or content in files the agent accesses.
"There is no click to fall for and no approval box to ignore," Cato's researchers noted. The agent reads external content, the malicious instructions execute, and the sandbox fails to contain them.
Two Paths Out of the Sandbox
CVE-2026-50548 abuses the working directory parameter. Cursor's sandbox permits file writes to a command's working folder through an optional parameter. When the AI agent sets it to a non-default path, Cursor adds that path to the allowed-write list without validation. Injected instructions can point this at system files instead of the project, allowing attackers to overwrite the sandbox helper itself:
- On macOS:
/Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox - On Windows:
C:\Users\[user]\AppData\Local\Programs\cursor\resources\app\resources\helpers\cursorsandbox.exe
Once the sandbox helper is compromised, all subsequent commands execute unrestricted.
CVE-2026-50549 exploits symlink validation failure. Before writing files, Cursor resolves symbolic links to confirm the actual destination sits inside the project directory. The bug: when that resolution fails—because the target doesn't exist or the attacker removes read access from a folder in the path—Cursor trusts the symlink's stated path instead of rejecting the write. Attackers use this to write outside project boundaries, targeting the same sandbox helper.
Impact for Developers
Once sandbox escape succeeds, subsequent commands execute with full developer privileges. That includes:
- Access to source code repositories
- Cloud service credentials stored locally
- SaaS workspace tokens
- SSH keys and signing certificates
- CI/CD pipeline access
For organizations with Cursor deployed across engineering teams, a single compromised MCP server or poisoned search result could cascade into widespread code tampering or credential theft.
Disclosure Timeline
Cato disclosed both vulnerabilities on February 19. Cursor initially rejected the reports. After Cato persisted, the vendor reopened the cases on February 26. Patches shipped in Cursor 3.0 on April 2. CVE assignments followed on June 5.
That three-month gap between disclosure and CVE publication means many security teams learned of these issues only this week, long after patches became available. If your organization uses Cursor and hasn't enforced 3.0 upgrades, you're exposed.
Broader Implications
AI-assisted development tools are becoming standard infrastructure. Cursor, GitHub Copilot, Amazon Q, and similar products embed AI agents directly into developer workflows. Those agents read external content, interpret instructions, and take actions—the exact pattern that makes prompt injection dangerous.
We covered similar concerns with Amazon Q Developer last week and AI coding agents inserting reverse shells in late June. The attack surface for AI-integrated development environments is expanding faster than defenses. Security teams need visibility into what AI tools their developers use, what permissions those tools have, and what external content sources they connect to.
Recommended Actions
- Upgrade to Cursor 3.0 or later immediately - All prior versions are vulnerable
- Audit MCP server connections - External data sources are the attack vector; restrict which servers agents can query
- Review web search permissions - If Cursor performs searches, those results can carry malicious payloads
- Monitor for sandbox helper modifications - Changes to cursorsandbox binaries indicate active exploitation
- Segment developer workstations - Limit what credentials and systems are accessible from machines running AI tools
No exploitation in the wild has been documented, but the technical barriers are low once PoC techniques are understood. With Cursor's Fortune 500 footprint, these machines make high-value targets.
Related Articles
SearchLeak Let Attackers Steal M365 Emails and MFA Codes in One Click
CVE-2026-42824 chained prompt injection, a timing race, and CSP bypass to exfiltrate Outlook emails, OneDrive files, and MFA codes via Microsoft 365 Copilot. Now patched.
Jun 23, 2026ChatGPhish Turns ChatGPT Web Summaries Into Phishing Delivery
Researchers discover ChatGPT's Markdown rendering trusts attacker-controlled content from summarized pages, enabling phishing URLs, IP exfiltration, and fake security alerts inside the AI interface.
May 31, 2026ChatGPT Bug Let Malicious Prompts Exfiltrate Data via DNS
Check Point Research disclosed a ChatGPT vulnerability that abused DNS tunneling to silently steal conversation data. OpenAI patched the flaw on February 20, 2026.
Mar 31, 2026Custom Fonts Let Attackers Hide Commands from AI Assistants
LayerX researchers found that custom font rendering can hide malicious prompts from ChatGPT, Claude, Gemini, and other AI assistants while displaying them to users.
Mar 18, 2026