Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
Key Takeaways Two critical remote code execution (RCE) vulnerabilities, collectively named “DuneSlide,” have been discovered in Cursor IDE. These flaws (CVE-2026-50548 and CVE-2026-50549)...
Key Takeaways
- Two critical remote code execution (RCE) vulnerabilities, collectively named “DuneSlide,” have been discovered in Cursor IDE.
- These flaws (CVE-2026-50548 and CVE-2026-50549) allow zero-click prompt injection attacks to fully bypass Cursor’s sandbox, leading to complete system compromise.
- The vulnerabilities affect Cursor IDE 2.x, a popular AI-powered development environment used by a significant portion of Fortune 500 companies.
- A fix is available; users should update their Cursor IDE to the latest patched version immediately.
Security researchers have uncovered two severe remote code execution (RCE) vulnerabilities within Cursor IDE, an AI-powered development environment leveraged by a substantial number of Fortune 500 organizations. These critical flaws, dubbed “DuneSlide,” enable attackers to achieve full system compromise through a novel zero-click prompt injection technique, completely circumventing the IDE’s built-in sandbox.
Table Of Content
Disclosed by Cato AI Labs, the vulnerabilities are tracked as CVE-2026-50548 and CVE-2026-50549, both carrying a CVSS severity score of 9.8. Their discovery highlights a concerning evolution in prompt injection attacks, demonstrating how these techniques can extend beyond merely manipulating a Large Language Model’s (LLM) output to directly exploit conventional code execution paths previously not considered part of the attack surface.
Successful exploitation of these weaknesses allows a threat actor to overwrite critical system files, including the cursorsandbox binary. This effectively transforms commands intended to run within the sandbox into fully unsandboxed RCE, jeopardizing both the local developer machine and any connected SaaS workspaces. Crucially, these bugs can be triggered without any user privileges or explicit interaction. A victim needs only to issue a seemingly harmless prompt that inadvertently incorporates attacker-controlled content from an untrusted source, such as a malicious MCP server response or a poisoned web search result.
Cursor IDE version 2.x automatically executes agent terminal commands within a sandbox, a design choice aimed at reducing user approval fatigue while simultaneously limiting the potential escalation of simple prompt injection attacks. However, the “DuneSlide” vulnerabilities demonstrate that this containment mechanism can be entirely bypassed.
Vulnerability #1: Working Directory Manipulation (CVE-2026-50548)
The first vulnerability, CVE-2026-50548, arises from how Cursor’s sandbox grants write access to a command’s working directory. The working_directory parameter, an optional and LLM-controlled component of the run_terminal_cmd tool, can be manipulated via prompt injection. This allows an attacker to direct the agent to set the working directory to an arbitrary path outside the intended project root.
By exploiting this, attackers can write to sensitive locations on the system. This includes overwriting the cursorsandbox helper application located at /Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox, or modifying critical user configuration files like ~/.zshrc and ~/Library/LaunchAgents. Such actions effectively neutralize sandbox restrictions for subsequent commands executed as part of the same injection, paving the way for full RCE.
Vulnerability #2: Symlink Canonicalization Bypass (CVE-2026-50549)
The second independent flaw, CVE-2026-50549, resides in Cursor’s path resolution logic. Through a carefully crafted prompt injection, an attacker can instruct the agent to create a symbolic link (symlink) within the project directory that points to an external file. If Cursor’s canonicalization process fails—for instance, because the symlink’s target does not exist or lacks read permissions—the agent defaults to trusting the original, unvalidated symlink path.
This bypasses out-of-bounds write checks, enabling attackers to overwrite the same critical cursorsandbox helper through the malicious symlink. This method also achieves privileged RCE without any user interaction, underscoring that even robust sandboxing mechanisms can be compromised when parameter validation and edge cases in path resolution are not thoroughly secured against prompt injection.
The “DuneSlide” findings emphasize that relying solely on sandboxing is insufficient to contain autonomous coding agents, especially when vulnerabilities related to parameter validation and path-resolution edge cases remain exploitable through prompt injection. Cato AI Labs states they are continuing to engage in responsible disclosure with other popular coding agent vendors, highlighting the urgent need for systemic, architecture-level defenses rather than isolated patches to secure the growing ecosystem of AI-driven development tools.
What You Should Do
- Update Immediately: Ensure your Cursor IDE is updated to the latest patched version to mitigate these critical vulnerabilities.
- Exercise Caution with Prompts: Be wary of prompts that ingest content from untrusted external sources, such as suspicious web search results or unknown MCP server responses.
- Review Development Workflows: Assess existing development workflows that utilize AI coding agents for potential exposure to prompt injection vectors.
- Implement Least Privilege: Adhere to the principle of least privilege for developer environments and integrated tools.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.