Cato AI Labs disclosed a pair of critical flaws in the Cursor AI code editor, together dubbed DuneSlide, that let an attacker turn an ordinary AI prompt into full remote code execution on a developer's machine, with no click and no approval box to ignore. Both rate 9.8 out of 10, both defeat the sandbox Cursor added specifically to contain its AI agent, and the trigger is nothing more exotic than the agent reading attacker-controlled text from a web search or a connected tool. It is the clearest sign yet that prompt injection is not just an AI problem, it is a classic RCE vector wearing a new coat.
- DuneSlide is two RCE bugs, CVE-2026-50548 and CVE-2026-50549, both scored 9.8, that break out of Cursor's default agent sandbox.
- The attack is zero-click prompt injection: a poisoned MCP response or web-search result carries hidden instructions the agent executes on your behalf.
- The payoff is overwriting a trusted file (the sandbox helper binary or ~/.zshrc), which turns later sandboxed commands into unsandboxed code execution.
- Both are fixed in Cursor 3.0 (April 2, with the symlink fix following by June 1); every version before 3.0 is affected, and Cursor says over half the Fortune 500 use it.
What is DuneSlide, in plain terms?
Starting with its 2.x line, Cursor runs the terminal commands its AI agent issues inside a sandbox by default: a locked box that limits what those commands can touch, so a stray instruction cannot wreck your machine. DuneSlide is about getting out of that box. Cato AI Labs found two different ways to do it, both leading to full remote code execution on the host and any connected SaaS workspace. The name covers both bugs because they share the same shape: use the AI agent's own file-writing powers to overwrite something the system trusts, then let normal behavior do the rest.
RelatedBlueHammer Defender Zero-Day Hit SYSTEM in the Wild
How does a prompt become code execution?
The entry point is prompt injection, and the crucial detail is that the victim never types the malicious instruction. The attacker plants it inside something the agent reads on your behalf: a page returned by a web search, or a response from a service connected through the Model Context Protocol. As Cato puts it, the exploit requires no prior privileges or specific interaction, it triggers when a victim makes an innocuous prompt that inadvertently ingests attacker-controlled content from an untrusted source. The agent, trying to be helpful, follows the hidden instructions. Because the agent can write files, those instructions can point a write at a file that controls the sandbox itself.
| Detail | CVE-2026-50548 | CVE-2026-50549 |
|---|---|---|
| Root cause | Working-directory abuse | Symlink / path-resolution fallback |
| The flaw | Sandbox trusts a custom working_directory and adds it to the allowed-write list | When the safety check fails, Cursor trusts the shortcut's in-project path anyway |
| Typical target | cursorsandbox helper, ~/.zshrc | Files outside the project via symlink |
| Severity | 9.8 (critical) | 9.8 (critical) |
| Fixed in | Cursor 3.0 (Apr 2) | Follow-up fix by Jun 1 |
Why do the two bugs matter separately?
Because they attack two different guardrails, which is what makes DuneSlide a pattern rather than a one-off. CVE-2026-50548 abuses a setting: the sandbox permits writes into a command's working folder, and that folder is an optional parameter the agent controls, so injected instructions point it at a system file instead of the project. Overwrite the macOS sandbox helper binary and later commands run with no sandbox at all. CVE-2026-50549 abuses a safety check: before writing, Cursor resolves symlinks to confirm the target is inside your project, but when that check fails, because the file does not exist or read access was removed, it falls back to trusting the shortcut's claimed path. Two independent code paths, same outcome, which is exactly why Cato argues this needs a systemic fix, not a patch per bug.
Who is exposed, and what should they do?
Anyone running Cursor below version 3.0, which Cato notes includes over half the Fortune 500 by Cursor's own count. The good news is the fix is already out: the working-directory bug was closed in Cursor 3.0 on April 2, and the symlink fix landed by June 1. The action is simple and urgent, update to Cursor 3.0 or later now. Until you do, do not let the agent process untrusted content: be wary of pointing it at arbitrary web results or connecting unvetted MCP servers, since those are the exact channels DuneSlide rides in on. This is also a reminder to treat AI-agent file and command permissions as a real attack surface, with confirmation gates on anything destructive.
RelatedA 9.8 Oracle E-Business Suite Flaw Is Under Active Attack
- Aug 2025CurXecute (CVE-2025-54135) disclosed. An earlier prompt-injection-to-RCE bug in Cursor from the same research lineage.
- Feb 26 2026DuneSlide escalated to Cursor's security team. Reports reopened and triaged; fixes scoped.
- Apr 2 2026Cursor 3.0 ships the working-directory fix. CVE-2026-50548 closed.
- Jun 1 2026Symlink fix lands. CVE-2026-50549 closed.
- Jul 2026Public disclosure by Cato AI Labs. Details published; systemic coding-agent research ongoing.
- More coding agents. Cato says it is disclosing similar bugs across popular coding agents. Expect DuneSlide-style flaws in rivals next.
- Sandbox hardening. The lesson is that a sandbox whose config the agent can edit is not a sandbox. Watch for permission redesigns.
- MCP trust. Connected tools are now an injection channel. Expect provenance and allow-listing controls for MCP responses.
- Patch lag. The fix exists; the risk is unpatched installs. Watch how fast enterprises actually roll out Cursor 3.0.
Our take
DuneSlide is more important than a single vendor's patch notes, because it proves a thesis security teams have been nervous about all year: prompt injection is a delivery mechanism for old-fashioned exploitation. The AI agent is not the vulnerability, it is the courier that carries an attacker's instructions past the human and into privileged code paths, working-directory handling and symlink resolution, that were never designed assuming the caller was hostile. Cursor did the right things, it patched quickly and it shipped a sandbox in the first place, but the deeper takeaway is that giving an LLM the ability to write files and run commands turns every untrusted string it reads into potential code. The fix for your machine is to update today. The fix for the industry is to stop treating agent sandboxes as safe when the agent can rewrite the sandbox's own rules.
- OfficialCato Networks, DuneSlide disclosure , full technical writeup
- ReferenceThe Hacker News coverage , summary and timeline
- AdvisoryCursor changelog , the 3.0 release and fixes
Original analysis by GenZTech. Figures current as of July 2026. Source: catonetworks.com
