DuneSlide Vulnerabilities Expose AI Code Editor Cursor to Zero-Click RCE
Two critical vulnerabilities, dubbed 'DuneSlide,' have been discovered in the popular AI code editor, **Cursor**. These flaws allow an attacker to bypass the editor's sandbox via prompt injection, enabling arbitrary command execution on a developer's machine with no user interaction. The issues are now patched in **Cursor 3.0**, underscoring the ongoing challenges in securing AI-powered development tools.
# DuneSlide: Critical RCE Flaws Bypass Cursor's AI Sandbox
IT security professionals and privacy-conscious users should take immediate notice: two critical vulnerabilities, collectively named **DuneSlide**, have been identified in the **Cursor** AI code editor. These flaws, tracked as **CVE-2026-50548** and **CVE-2026-50549**, both carry a severe CVSS score of 9.8 (or 9.3 under CVSS 4.0), indicating their high impact.
Discovered by **Cato AI Labs**, **DuneSlide** represents a significant threat. A single, seemingly innocuous prompt can allow an attacker to escape **Cursor**'s protective sandbox and execute arbitrary commands on a developer's system. Critically, this is a "zero-click" exploit, requiring no user interaction or approval.
[](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjItlLuWZZxw3YcKcnCVEsKn7HKF0QcPnXqFNjor23XT93Xp49dvLt4tZFYIbUApP4eABXQZ3pwnoidAp5GW1wm7ZfBA6vXRlXj7i0Lbzw4KWlSkxayxjZQeoxg3TEAQWmLdGP9DePsYjoC1p07KGommOwATsJOHhRQ2zZatOaFRzHoKHVHcQW8K9s-Hd5w/s1600/cato.jpg)
The fix for these vulnerabilities is available in **Cursor 3.0**, released on April 2nd. All previous versions are affected. Given that **Cursor** states over half of the **Fortune 500** utilize their tool, immediate updates are strongly advised for all users.
## Understanding the Sandbox Bypass
Starting with its 2.x line, **Cursor** implemented a sandbox to isolate terminal commands executed by its AI agent, preventing accidental system modifications. **DuneSlide**'s objective is to break out of this controlled environment.
The attack vector relies on prompt injection. An attacker doesn't directly type into your **Cursor** editor. Instead, malicious instructions are embedded within content the AI agent processes on your behalf, such as data from a connected service via the **Model Context Protocol (MCP)** or information retrieved from a web search. When a user issues a normal query, the hidden instructions are inadvertently processed, leading to the zero-click compromise.
Both vulnerabilities leverage a similar tactic: tricking the AI agent into writing a file it shouldn't have access to, then using that write operation to disable the sandbox.
* **CVE-2026-50548** exploits a configuration flaw. The sandbox permits writes to a command's working directory, which is an optional parameter (`working_directory`) for **Cursor**'s `run_terminal_cmd` tool. When the AI agent sets this parameter to a non-default path, **Cursor** adds that path to its allowed-write list without further validation. Attackers can inject instructions to point this at a critical system file, such as the sandbox helper itself (`/Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox` on macOS), effectively neutralizing the sandbox for subsequent commands. Startup files like `~/.zshrc` are also viable targets.
* **CVE-2026-50549** abuses a safety check related to symbolic links. Before writing, **Cursor** attempts to resolve shortcuts to ensure the destination is within the project directory. The vulnerability lies in the fallback mechanism: if this check fails (e.g., due to a non-existent target or manipulated read permissions), **Cursor** defaults to trusting the shortcut's declared in-project path. An attacker can create a malicious symlink pointing outside the project, force the check to fail, and then write directly to the sandbox helper, achieving the same escape.
Once the sandbox is bypassed, the next command executes with the full privileges of the developer, granting control over the local machine and any connected cloud or SaaS workspaces. All of this can stem from a seemingly harmless prompt.
There is currently no evidence of **DuneSlide** being exploited in the wild; **Cato AI Labs** presented this as research. **Cato** reported these issues on February 19th. Initially, **Cursor** rejected the reports, citing that their threat model did not cover misuse of **MCP** servers. However, upon escalation on February 26th, **Cursor** reopened the reports, triaged them, and subsequently released fixes in version 3.0. The **CVE** IDs were assigned on June 5th.
**Cursor** has published its own [advisory](https://github.com/cursor/cursor/security/advisories/GHSA-3v8f-48vw-3mjx) for the symlink bug, and its [**NVD** record](https://nvd.nist.gov/vuln/detail/CVE-2026-50549) is now live.
## A Recurring Pattern for AI Code Editors
**DuneSlide** is not an isolated incident but rather the latest in a series of prompt-poisoning vulnerabilities affecting **Cursor**, all leading to code execution by circumventing various security measures. Previous notable incidents include:
* **CurXecute** (**CVE-2025-54135**, August 2025): Discovered by the same team (then operating as **Aim Security**), this flaw allowed a planted **Slack** message to rewrite **Cursor**'s `~/.cursor/mcp.json` configuration, executing commands even if the user rejected the edit. Fixed in **Cursor 1.3**.
* **MCPoison** (**CVE-2025-54136**): Identified by **Check Point Research**, this vulnerability enabled an attacker to get an **MCP** configuration approved once, then silently swap in malicious commands without requiring further user prompts.
* **CVE-2026-26268** (February 2026): This flaw involved a booby-trapped **Git** hook hidden in a repository that would trigger the moment the AI agent executed a **Git** command. Patched in **Cursor 2.5**.
The sandbox implemented in **Cursor 2.x** was designed as a direct response to this earlier wave of vulnerabilities. **DuneSlide** demonstrates a successful circumvention of that very protection.
**Cato AI Labs** suggests that similar structural flaws may exist in other coding agents, implying that the issue extends beyond individual products. This raises a critical question for developers and vendors of AI agents that interact with the open web: should a default posture of treating every input as potentially hostile become the industry standard, or will the current reactive, patch-by-patch approach persist?