Researchers have disclosed two critical security vulnerabilities in the widely used AI-powered code editor, Cursor. Dubbed DuneSlide, these flaws allowed attackers to completely bypass the IDE’s command execution sandbox via zero-click prompt injection, granting them full Remote Code Execution (RCE) on a developer’s host operating system.
The flaws have a near-maximum severity rating with a CVSS score of 9.8. Security patches addressing these vulnerabilities were quietly integrated into Cursor Version 3.0.
The Breakdown: How DuneSlide Escaped the Sandbox
Discovered by cybersecurity firm Cato Networks, the vulnerabilities leveraged Cursor’s automated terminal execution feature. Because the AI agent executes commands programmatically to assist developers, it occasionally processes untrusted third-party data—such as web search results, Model Context Protocol (MCP) servers, or repository files—without requiring a manual “OK” from the user.
If an attacker poisoned these data sources with malicious prompts, the editor would digest the payload and execute the exploit automatically.
The threat relies on two distinct structural logic flaws:
1. Working Directory Abuse (CVE-2026-50548)
Cursor’s sandbox is designed to restrict file writes exclusively to the active project folder. However, researchers discovered that if an AI agent modified the working_directory parameter inside the run_terminal_cmd function, Cursor would inadvertently append that new path to its list of allowed directories.
The Impact: An attacker could trick the AI into changing its directory to a root system folder and overwriting the core
cursorsandboxexecutable itself. Once overwritten, all future commands would execute completely outside sandbox constraints.
2. Symlink Path Canonicalization Failure (CVE-2026-50549)
Independent of the directory exploit, the second flaw targeted how Cursor resolves absolute file paths (canonicalization). If an AI agent was instructed to create a symbolic link (symlink) targeting a file outside the project directory, Cursor would attempt to verify if it was out of bounds.
The Bug: If the path verification ran into a permission error or a non-existent directory, Cursor’s verification system failed safely for the attacker—it fell back to using the local symlink path rather than the external destination path. This allowed malicious instructions to write data anywhere on the system via write-only symlinks.
“These flaws reveal a native friction in agentic AI platforms. When we combine autonomous tools like terminal executors with public internet data, the data itself becomes the code execution vector.” — Cato Networks Research Team
Impact and Remediation
| Vulnerability | CVE ID | CVSS | Core Vulnerability | Risk |
| DuneSlide Part 1 | CVE-2026-50548 | 9.8 | AI-controlled working_directory path inclusion | Unsanitized OS-level command execution |
| DuneSlide Part 2 | CVE-2026-50549 | 9.8 | Fallback logic error in symlink path checking | Out-of-bounds writing via malicious links |
If left unpatched, a successful exploit could give threat actors access to local environment variables, proprietary algorithms, cloud service tokens, and hardcoded API keys.
What You Need to Do
Fortunately, there is no evidence that these flaws have been actively exploited in the wild. Cursor rolled out the official fix alongside its major overhaul in Cursor Version 3.0.
If your development team utilizes Cursor, ensure all local instances have been updated to Version 3.0 or higher. You can check your current version status directly inside the editor’s settings pane (Cursor > Help > About).