2026-07-02 – DuneSlide Zero-Click Sandbox Escape in Cursor AI IDE (CVE-2026-50548 & CVE-2026-50549)

Breaking Out: “DuneSlide” Zero-Click Sandbox Escape Flaws Exposed in Cursor AI IDE

Executive Summary

A pair of critical vulnerabilities collectively named “DuneSlide” has been disclosed in the widely adopted Cursor AI-powered Integrated Development Environment (IDE). Tracked as CVE-2026-50548 and CVE-2026-50549, both vulnerabilities carry a severe 9.8 CVSS score. Disclosed by researchers at Cato AI Labs on July 1, 2026, these flaws allow unauthenticated remote attackers to execute arbitrary code on a developer’s host machine with zero user interaction. By utilizing prompt injection, threat actors can completely bypass Cursor’s command execution sandbox and take over local development machines. Web developers and enterprise software engineering teams are urged to immediately update to Cursor 3.0 or later to patch these issues.

Technical Deep-Dive

Cursor AI IDE is a highly popular fork of VS Code integrated with autonomous AI coding agents. To prevent rogue command execution, Cursor operates a command execution sandbox that by default restricts terminal file writes to the current project directory scope. DuneSlide consists of two independent architectural flaws that break this isolation boundary.

Vulnerability 1: Sandbox Escape via working_directory Parameter (CVE-2026-50548)

To automate terminal command execution, Cursor’s AI agent utilizes an internal tool named run_terminal_cmd. This tool supports a parameter called working_directory, allowing the agent to override the directory in which the command is run.

* The Flaw: The canonicalization and validation checks for the working_directory path were flawed.

* The Exploit: An attacker can use a prompt injection (e.g., hiding instructions in a poisoned web search result or a malicious Model Context Protocol (MCP) server response) to trick the underlying Large Language Model (LLM) into setting the working_directory to a path outside the project scope (such as system start-up folders like ~/Library/LaunchAgents on macOS or system folders on Windows).

* The Result: The sandboxed execution sandbox is bypassed, allowing the agent to write arbitrary files or overwrite the cursorsandbox binary itself.

Vulnerability 2: Symlink Canonicalization Failure (CVE-2026-50549)

* The Flaw: The Cursor Agent attempts to canonicalize paths (resolving symbolic links) to verify files are within the project root. However, the path-resolution logic contained a dangerous fallback: if canonicalization fails (for instance, when a path does not exist or lacks read permissions on intermediate directories), Cursor falls back to using the original out-of-bounds symlink path.

* The Exploit: A prompt injection can instruct the Cursor Agent to create a symbolic link (symlink) within the project folder pointing to a path outside the directory root. If canonicalization fails, the agent writes directly to the out-of-bounds destination.

* The Result: Attackers bypass directory write protections, allowing them to overwrite arbitrary files on the developer’s operating system.

Attribute

Details

CVE Identifiers

CVE-2026-50548 & CVE-2026-50549

CVSS Score

9.8 (Critical)

Affected Versions

All Cursor versions before 3.0

Industry Impact and Threat Landscape

As AI-assisted coding tools gain enterprise adoption, developer workstations are becoming high-value targets. A successful DuneSlide exploit enables zero-click compromise. There is no link to click or confirmation prompt to approve. Because the AI agent executes the injected prompts automatically to maintain workflow efficiency, a developer merely has to trigger an action that ingests untrusted code or search results.

Once compromised, attackers can:

1. Steal proprietary source code and intellectual property.

2. Extract environment variables, SSH keys, and cloud credentials stored in local profiles.

3. Compromise the software supply chain by injecting backdoor code into production repositories.

4. Establish persistent administrative backdoors on developer systems.

Recommendations and Mitigations

Organizations running Cursor IDE must implement the following remediation guidelines:

1. Apply the Cursor 3.0 Update: Instantly update all developer clients to Cursor 3.0 or later. The update introduces robust input validation and locks down symlink path verification.

2. Isolate AI Workspaces: Run autonomous AI coding agents inside containerized environments, sandboxed virtual machines, or restricted virtual hosts rather than directly on raw developer workstations.

3. Audit Third-Party Integrations: Exercise caution when connecting Cursor to untrusted MCP servers or letting AI agents ingest unverified web search data.