Two critical remote code execution (RCE) vulnerabilities in Cursor IDE, the AI-powered development environment used by more than half of Fortune 500 companies.
Cato AI Labs has disclosed two flaws, dubbed ” DuneSlide, ” both of which carry a 9.8 CVSS severity score and were assigned CVE-2026-50548 and CVE-2026-50549, allowing attackers to break out of Cursor’s sandbox entirely.
The vulnerabilities demonstrate that prompt injection attacks can extend beyond manipulating an LLM’s output and reach into classical code paths never previously considered part of the attack surface.
Exploitation lets a threat actor overwrite critical system files, such as the cursorsandbox binary, converting sandboxed terminal commands into fully unsandboxed RCE and compromising both the local machine and connected SaaS workspaces.
Both bugs are triggered without any user privileges or deliberate interaction; a victim only needs to issue an innocuous prompt that inadvertently ingests attacker-controlled content from an untrusted source, such as an MCP server response or a poisoned web search result.
Cursor IDE RCE Vulnerabilities (Source: Cato AI Labs )
Cursor 2.x runs agent terminal commands inside a sandbox automatically, without prompting for approval, a design meant to reduce approval fatigue while limiting how far a simple prompt injection can escalate.
Vulnerability #1: Working Directory Manipulation
CVE-2026-50548 stems from how Cursor’s sandbox grants write access to a command’s working directory. Because working_directory is an optional, LLM-controlled parameter of the run_terminal_cmd tool, a prompt injection can steer the agent into setting it to an attacker-chosen path outside the project root.
This lets the attacker write to sensitive locations, including the cursorsandbox helper at /Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox, or files like ~/.zshrc and ~/Library/LaunchAgents, neutralizing sandbox restrictions for subsequent commands in the same injection.
Vulnerability #2: Symlink Canonicalization Bypass
CVE-2026-50549 is an independent flaw in Cursor’s path resolution logic. A prompt injection can direct the agent to create a symlink inside the project directory pointing to an external file; when Cursor’s canonicalization step fails for example, because the target doesn’t exist or lacks read permissions the agent falls back to trusting the original, unvalidated symlink path.
This bypasses out-of-bounds write checks, letting attackers overwrite the same cursorsandbox helper through the symlink and achieve privileged RCE without any user interaction.
DuneSlide underscores that sandboxing alone cannot contain autonomous coding agents when parameter validation and path-resolution edge cases remain exploitable through prompt injection.
Cato AI Labs states it is continuing responsible disclosure across other popular coding agents, signaling that systemic, architecture-level defenses, not one-off patches, are needed to secure AI-driven development tools.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.
The post Critical Cursor IDE RCE Vulnerabilities Enable Prompt Injection in Zero-Click appeared first on Cyber Security News.



