DuneSlide: Two Critical Cursor Flaws Let Prompt Injection Escape the Sandbox and Run Commands With No Click or Approval
Eric Serrano Bustos
On 1 July 2026, Cato AI Labs published the full research on DuneSlide, two critical remote code execution vulnerabilities (CVSS 9.8) in Cursor, the AI code editor that, according to its own maker, is used by more than half of Fortune 500 companies. What makes DuneSlide especially alarming is not just the technical severity but the complete absence of human interaction required to exploit it: there is no link to click, no approval box to ignore. The attack triggers when the victim makes a completely ordinary request to their coding assistant, which unknowingly ingests attacker-controlled content from an apparently innocuous source, such as a connected MCP server or a poisoned web search result. Both flaws, tracked as CVE-2026-50548 and CVE-2026-50549, are already patched in Cursor 3.0, released in April 2026, but any earlier version remains exposed.
What do we know about DuneSlide?
Facts documented by Cato AI Labs, The Hacker News and CSO Online:
Nature of the flaw: two independent vulnerabilities that allow escaping Cursor's command execution sandbox, the protective layer designed to prevent the internal AI agent from performing unauthorised actions on the underlying operating system.
CVE-2026-50548: abuses an optional parameter called working_directory in Cursor's run_terminal_cmd tool. The sandbox permits writes to a command's working folder, and that folder can be set by the AI agent itself without restriction. A prompt injection can steer that parameter to a system path outside the project, including the sandbox binary itself (cursorsandbox on macOS) or startup files like ~/.zshrc.
CVE-2026-50549: exploits a flaw in Cursor's path resolution logic. Before writing a file, Cursor resolves symbolic links to confirm the real destination sits inside the project. The bug lies in the fallback mechanism: when that check fails, Cursor trusts the path declared by the symlink instead of blocking the operation.
Zero user interaction required: according to Cato's researchers, the exploit requires no prior privileges or specific deliberate action. It triggers when the victim makes an innocuous request that unknowingly ingests attacker-controlled content from an untrusted source, such as an MCP server or a poisoned search result.
Impact of successful exploitation: overwriting the sandbox binary itself turns any subsequent command into unrestricted execution, leading to full compromise of both the local machine and any connected SaaS environments.
Disclosure timeline: Cato escalated the finding on 26 February 2026. Cursor reopened the reports, triaged them, and shipped both fixes in version 3.0. CVE identifiers were assigned on 5 June.
Fourth incident in the same family: DuneSlide is the latest in a series of Cursor flaws that begin with a poisoned prompt and end in code execution. It follows CurXecute (CVE-2025-54135, August 2025), MCPoison (CVE-2025-54136) and a manipulated Git hook documented in February 2026 (CVE-2026-26268).
Scope of the research: Cato AI Labs confirms it is responsibly disclosing similar vulnerabilities in other popular coding agents, noting the problem is not exclusive to Cursor but a structural pattern in how these tools' sandboxes are designed.
Why Cursor and AI code editors are a high-value target
Cursor is not a niche tool. Its own maker states more than half of Fortune 500 companies use it, and the company was recently acquired by SpaceX for $60 billion in stock, a clear signal of its centrality to modern enterprise software development. Three factors explain why these tools concentrate so much risk:
The AI agent has real execution permissions on the developer's system. Unlike a chatbot that only generates text, Cursor runs terminal commands, writes files and modifies the operating system on the developer's behalf. When that agent can be manipulated by external content, the attacker inherits those same execution permissions.
The agent's context sources are broader than the developer's own input. A modern coding agent does not just read what the developer types: it ingests web search results, responses from connected MCP servers, repository content and external documentation. Each of those sources is a potential prompt injection vector if not validated with the same rigour as direct user input.
The developer's endpoint is the gateway to enterprise infrastructure. A developer running Cursor typically has access to private repositories, deployment credentials, API tokens and connections to corporate SaaS environments. Compromising their machine via DuneSlide is not just a local incident: it is an entry point to whatever systems that developer can reach.
How these attacks happen: from an innocuous prompt to unrestricted execution
The DuneSlide exploitation chain, documented by Cato AI Labs and CSO Online, follows this pattern:
The attacker plants hidden instructions in a source the Cursor agent will consult. This can be the response from an MCP server connected to the editor, or the content of a web page appearing in search results the agent runs on the developer's behalf.
The developer makes a completely normal request to their coding assistant. There is nothing suspicious about the user's action: they are simply using Cursor as they normally would.
The AI agent unknowingly ingests the malicious content while processing that request. The attacker's hidden instructions blend with the legitimate context the model is processing.
The prompt injection steers the agent into modifying the working_directory parameter or creating a malicious symlink. For CVE-2026-50548, the agent sets a working path outside the project. For CVE-2026-50549, it creates a symlink pointing to an external file.
Cursor trusts the manipulated path and writes outside the sandbox boundaries. The attacker can then overwrite the sandboxing binary itself or system startup files.
Subsequent commands run with no restriction whatsoever. Once the sandbox is neutralised, any command the agent executes from that point onward has full access to the underlying operating system, with no containment.
Key lessons for businesses and executives with development teams
DuneSlide confirms a trend the Apolo blog has been documenting since June: AI agents in development tools are already a real attack vector, not an academic hypothesis. Recommended actions for organisations running Cursor or similar tools in production:
Update to Cursor 3.0 or later immediately. The patch has been available since April 2026. Any earlier version remains exposed to both CVEs.
Audit which external context sources the coding agent can query. Review which MCP servers are connected, what web search permissions the agent has enabled, and limit those connections to what is strictly necessary.
Treat the sandbox as a defence layer, not the only protection. Cato AI Labs is explicit: sandboxing alone is not sufficient if parameter validation and path resolution have logic flaws. Organisations should implement additional controls, such as OS-level network restrictions for processes the agent runs.
Do not assume other AI coding agents are free of this pattern. Cato AI Labs confirms it is disclosing similar vulnerabilities in other popular tools. The problem is architectural, not exclusive to one product.
Limit the permissions of credentials accessible from the development environment. Since a compromised developer endpoint can become a gateway to corporate systems, applying least-privilege principles to tokens and credentials available on those machines reduces the impact of a successful compromise.
Cybersecurity as a strategic priority
DuneSlide is the fourth vulnerability of this kind documented in Cursor since August 2025, and Cato AI Labs warns it will not be the last they find in the coding agent ecosystem. The pattern is consistent with what the Apolo blog has documented throughout June: the UK's NCSC warning about the risks of unsupervised generated code, and Cordyceps demonstrating that CI/CD pipelines themselves are vulnerable to insecure workflow composition. DuneSlide adds a third layer to that narrative: the very editor where the developer writes code can be hijacked with no click required. For organisations that have adopted AI code editors as part of their daily workflow, today's question is direct: do you know which version of Cursor or similar tools your developers are using, and what external context sources their AI agents have enabled?
Apolo Cybersecurity: security audit of AI coding agents
At Apolo Cybersecurity we help organisations assess the risk of their AI-assisted development tools: verification of update status for editors like Cursor across the entire developer fleet, auditing of MCP connections and external context sources enabled in coding agents, design of network controls complementary to these tools' native sandboxing, and assessment of the scope of credentials and permissions accessible from development environments.
If your organisation uses Cursor or another AI code editor and you have no confirmation that all teams are on the latest patched version, now is the time to verify it.