PROBABLYPWNED
VulnerabilitiesJuly 3, 20264 min read

Cursor AI Flaws Let Prompt Injection Escape Sandbox for RCE

Two CVSS 9.8 vulnerabilities in the popular AI code editor allow zero-click attacks where malicious instructions in external data sources execute arbitrary commands on developer machines.

Marcus Chen

Prompt injection isn't just a chatbot problem anymore. Two critical vulnerabilities in Cursor, the AI-powered code editor that claims more than half the Fortune 500 as users, allow attackers to break out of the editor's security sandbox and execute arbitrary commands on developer machines. No clicks required from the victim.

Cato AI Labs disclosed the flaws, tracked as CVE-2026-50548 and CVE-2026-50549, and collectively named them DuneSlide. Both score 9.8 on CVSS 3.1 (9.3 under CVSS 4.0). Cursor patched them in version 3.0, released April 2—every earlier version remains vulnerable.

Zero-Click Exploitation

The attack vector is prompt injection, but the payload delivery doesn't require the victim to type anything malicious. Attackers embed instructions inside data sources that Cursor's AI agent reads on behalf of users: responses from Model Context Protocol (MCP) servers, results from web searches, or content in files the agent accesses.

"There is no click to fall for and no approval box to ignore," Cato's researchers noted. The agent reads external content, the malicious instructions execute, and the sandbox fails to contain them.

Two Paths Out of the Sandbox

CVE-2026-50548 abuses the working directory parameter. Cursor's sandbox permits file writes to a command's working folder through an optional parameter. When the AI agent sets it to a non-default path, Cursor adds that path to the allowed-write list without validation. Injected instructions can point this at system files instead of the project, allowing attackers to overwrite the sandbox helper itself:

  • On macOS: /Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox
  • On Windows: C:\Users\[user]\AppData\Local\Programs\cursor\resources\app\resources\helpers\cursorsandbox.exe

Once the sandbox helper is compromised, all subsequent commands execute unrestricted.

CVE-2026-50549 exploits symlink validation failure. Before writing files, Cursor resolves symbolic links to confirm the actual destination sits inside the project directory. The bug: when that resolution fails—because the target doesn't exist or the attacker removes read access from a folder in the path—Cursor trusts the symlink's stated path instead of rejecting the write. Attackers use this to write outside project boundaries, targeting the same sandbox helper.

Impact for Developers

Once sandbox escape succeeds, subsequent commands execute with full developer privileges. That includes:

  • Access to source code repositories
  • Cloud service credentials stored locally
  • SaaS workspace tokens
  • SSH keys and signing certificates
  • CI/CD pipeline access

For organizations with Cursor deployed across engineering teams, a single compromised MCP server or poisoned search result could cascade into widespread code tampering or credential theft.

Disclosure Timeline

Cato disclosed both vulnerabilities on February 19. Cursor initially rejected the reports. After Cato persisted, the vendor reopened the cases on February 26. Patches shipped in Cursor 3.0 on April 2. CVE assignments followed on June 5.

That three-month gap between disclosure and CVE publication means many security teams learned of these issues only this week, long after patches became available. If your organization uses Cursor and hasn't enforced 3.0 upgrades, you're exposed.

Broader Implications

AI-assisted development tools are becoming standard infrastructure. Cursor, GitHub Copilot, Amazon Q, and similar products embed AI agents directly into developer workflows. Those agents read external content, interpret instructions, and take actions—the exact pattern that makes prompt injection dangerous.

We covered similar concerns with Amazon Q Developer last week and AI coding agents inserting reverse shells in late June. The attack surface for AI-integrated development environments is expanding faster than defenses. Security teams need visibility into what AI tools their developers use, what permissions those tools have, and what external content sources they connect to.

Recommended Actions

  1. Upgrade to Cursor 3.0 or later immediately - All prior versions are vulnerable
  2. Audit MCP server connections - External data sources are the attack vector; restrict which servers agents can query
  3. Review web search permissions - If Cursor performs searches, those results can carry malicious payloads
  4. Monitor for sandbox helper modifications - Changes to cursorsandbox binaries indicate active exploitation
  5. Segment developer workstations - Limit what credentials and systems are accessible from machines running AI tools

No exploitation in the wild has been documented, but the technical barriers are low once PoC techniques are understood. With Cursor's Fortune 500 footprint, these machines make high-value targets.

Related Articles