Full Report
Two flaws in Cursor, an AI code editor, could let a single, ordinary-looking prompt break out of the editor's safety sandbox and run any command on a developer's computer. There is no click to fall for and no approval box to ignore. Cato AI Labs found the pair and named them DuneSlide. They are tracked as CVE-2026-50548 and CVE-2026-50549, both rated 9.8 out of 10 (or 9.3
Analysis Summary
# Vulnerability: DuneSlide (Cursor AI Sandbox Escape)
## CVE Details
- **CVE ID:** CVE-2026-50548 (Working Directory Abuse) and CVE-2026-50549 (Symlink Safety Check Bypass)
- **CVSS Score:** 9.8 (v3.x) / 9.3 (v4.0) (Critical)
- **CWE:** CWE-22 (Path Traversal) / CWE-59 (Link Following) / CWE-94 (Code Injection)
## Affected Systems
- **Products:** Cursor AI Code Editor
- **Versions:** All versions prior to 3.0
- **Configurations:** Systems where the AI agent is permitted to read external data (e.g., via Model Context Protocol (MCP), web search, or connected services like Slack/Linear).
## Vulnerability Description
DuneSlide consists of two critical vulnerabilities that allow "zero-click" remote code execution by bypassing Cursor's security sandbox.
* **CVE-2026-50548:** This flaw exploits the `working_directory` parameter in the `run_terminal_cmd` tool. Normally, writes are restricted to the project folder. However, by providing a non-default system path as the working directory, the sandbox automatically whitelists that path. This allows an attacker to overwrite critical system files or the sandbox helper itself (`cursorsandbox`).
* **CVE-2026-50549:** This flaw exploits the symlink resolution logic. Cursor attempts to verify if a symlink's destination is within the project range. If the check fails (e.g., if the attacker removes read permissions from a folder in the path), Cursor defaults to trusting the link. Attackers use this to point symlinks to external system files, bypassing the directory restriction.
## Exploitation
- **Status:** PoC available (Research by Cato AI Labs); No known exploitation in the wild.
- **Complexity:** Low (Requires no user interaction/clicks).
- **Attack Vector:** Network (Indirect Prompt Injection). The attack is delivered via malicious instructions hidden in external data sources (web pages, MCP-connected apps) that the AI agent reads.
## Impact
- **Confidentiality:** High (Total access to developer files and editor-stored credentials).
- **Integrity:** High (Ability to run arbitrary commands as the local user).
- **Availability:** High (Potential for system-wide disruption or deletion of data).
## Remediation
### Patches
- **Update to Cursor 3.0 or later.** This version was released on April 2, 2026, and addresses both sandbox escape vectors.
### Workarounds
- **Disable MCP Connections:** Temporarily disconnect or vet external Model Context Protocol services.
- **Restrict AI Web Access:** Limit the agent's ability to browse the live web for content.
- **Manual Oversight:** While these specific bugs are "zero-click," monitoring the terminal output for unexpected directory changes or file writes remains a best practice.
## Detection
- **Indicators of Compromise:**
- Unexpected modifications to `~/.zshrc`, `~/.bashrc`, or system startup scripts.
- Alterations to the `cursorsandbox` helper located at: `hXXps://Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox` (on macOS).
- **Detection Methods:** Audit logs for the `run_terminal_cmd` tool showing path parameters pointing outside the active project directory.
## References
- **Vendor Advisory:** hXXps://github[.]com/cursor/cursor/security/advisories/GHSA-3v8f-48vw-3mjx
- **Researcher Original Post:** hXXps://www[.]catonetworks[.]com/blog/duneslide-two-critical-rce-vulnerabilities/
- **NVD Record:** hXXps://nvd[.]nist[.]gov/vuln/detail/CVE-2026-50549