July 1, 2026 5m read

DuneSlide: Two Critical RCE vulnerabilities via Zero-Click Prompt Injection in Cursor IDE

Itay Ravia
Itay Ravia

Table of Contents

Wondering where to begin your SASE journey?

We've got you covered!
Listen to post:
Getting your Trinity Audio player ready...

TL;DR

Cato AI Labs has discovered two critical remote code execution (RCE) vulnerabilities in Cursor IDE, the popular development environment which, according to Cursor, is used by over half of the Fortune 500. Both RCE vulnerabilities, which we refer to as β€œDuneSlide,” achieved a 9.8 CVSS score, and involve breaking out of the IDE’s sandbox environment and were assigned CVE IDs CVE-2026-50548 and CVE-2026-50549.

Together, these vulnerabilities show how prompt injection can reach beyond the LLM layer and expose classical vulnerabilities in code paths that were not traditionally considered part of the attack surface.

Exploiting either of these critical vulnerabilities allows a threat actor to overwrite critical system files (like the cursorsandbox binary), transforming sandboxed commands into unsandboxed RCE and leading to full system compromise on both the host machine and connected SaaS workspaces.

Executive Summary

  • Critical Vulnerabilities Discovered: Cato AI Labs has identified two distinct, critical vulnerabilities in Cursor IDE, leading to non-sandboxed RCEs on the user’s machine.
  • Arbitrary File Write via Zero-Click Prompt Injection: These independent architectural flaws allow threat actors to utilize zero-click prompt injections to write arbitrary files on the developer’s local system.
  • Sandbox Escape and RCE: By leveraging these primitives, a threat actor can break out of the terminal sandbox, achieving full RCE and a complete system compromise.
  • Zero-Click Attack Vector: The exploit requires no prior user privileges or specific user interaction. It is triggered when a victim makes an innocuous prompt that inadvertently ingests a threat actor-controlled payload from an untrusted source, such as an MCP server or a web search result.

Technical Overview

The Cursor Sandbox and Attack Vector

Cursor 2.x shipped with automatic terminal command execution inside a sandbox by default, which operates without prompting the user for approval. This feature is built to prevent approval-fatigue while preventing threat actors from easily converting a simple prompt injection to an RCE.

Vulnerability #1: Working Directory Parameter Manipulation

The first vulnerability stems from how the sandbox constructs its security boundaries based on tool parameters. When a sandboxed command is executed, Cursor builds a seatbelt policy allowing writes into the current working directory.

  • While the default behavior is to set the working directory of the command execution to be the project root, the working_directory is an optional parameter of the run_terminal_cmd tool.
  • The flaw exists because when the LLM assigns a non-default value to this parameter, that path is blindly added to the sandbox’s allowed write list.
  • A prompt injection (served through an innocuous MCP server request, or a poisoned web result) can steer the LLM to set the working_directory to a threat actor-controlled path outside the project scope.
  • By writing to the cursorsandbox executable (/Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox), the threat actor ensures that future commands run without sandbox restrictions, so future instructions within the same prompt injection leads to a non-sandboxed RCE.
  • Other vulnerable paths include ~/.zshrc, ~/.zshenv, or ~/Library/LaunchAgents.

Traditionally, a remote attacker cannot control the working directory of a sandboxed operation. As coding agents are a unique piece of software, however, in this vulnerability a prompt injection serves as the passageway to that part of the code.

Vulnerability #2: Symlink Canonicalization Failure

The second vulnerability is completely independent of the first and resides in Cursor’s file path resolution edge cases. It allows threat actors to bypass out-of-bounds write protections using symbolic links.

  • A prompt injection (via an innocuous MCP server request, or a poisoned web result) can instruct the Cursor Agent to create a symlink within the project directory that points to a file residing outside the project directory.
  • By default, the Cursor Agent attempts to canonicalize paths (resolving symlinks) to determine their true location and verify they are within the project root.
  • The vulnerability occurs because the canonicalization logic contains a dangerous fallback: if canonicalization fails (for example when the path doesn’t exist or if the path lacks read permissions on one of its directories), Cursor falls back to using the original symlink path inside the project directory.
  • A threat actor can then create a write-only symlink, thus forcing Cursor to assume the resolved path is the symlink path, rather than the target path. This fails its detection that the ultimate destination is out of bounds, allowing the threat actor to link to the cursorsandbox executable once more (/Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox).
  • Using the Write tool, the threat actor then overwrites this external file through the symlink, neutralizing the sandbox for subsequent commands executed as part of the same prompt injection and resulting in RCE.

In most classical software, an external attacker cannot remotely create symlinks on a victim’s machine. In this instance, a prompt injection turned the Cursor agent to a bridgehead for non-trivial operations that result in a full system compromise.

Responsible Disclosure

Cato AI Labs believes in securing the AI ecosystem and adhered to standard responsible disclosure practices for DuneSlide:

  • February 19: Vulnerabilities were reported to the Cursor team.
  • February 23: The vulnerabilities were rejected. The justification: Cursor’s threat model does not account for MCP server misuse even in cases where the MCP server itself is a standard, innocuous integration, like the official Linear.app workspace.
  • February 26: Escalation for both issues submitted directly to Cursor security team due to severity of the issues. The security team re-opened them and started triaging the reported vulnerabilities.
  • April 01: The Cursor team confirmed the working directory vulnerability fix will be shipped with the Cursor 3.0 client (released on April 2).
  • June 01: The Cursor team confirmed the link target vulnerability fix was also shipped with Cursor 3.0.
  • June 05: IDs CVE-2026-50548 and CVE-2026-50549 are assigned, confirming the critical severity of the vulnerabilities.

Conclusion

DuneSlide highlights the distinct architectural dangers of providing LLMs with autonomous command execution environments. While sandboxing is a necessary defense, distinct flaws in parameter validation and path resolution edge cases prove that zero-click prompt injections can deftly maneuver isolated logic flaws to execute a full system takeover. Had these issues been singular cases of compromise via prompt injections, we might have attributed them to specific vulnerabilities. Cato AI Labs, however, is in the process of responsibly disclosing vulnerabilities in all popular coding agents, highlighting that a more systemic approach to protection is required. Stay Tuned.

Related Topics

Wondering where to begin your SASE journey?

We've got you covered!
Itay Ravia

Itay Ravia

Itay Ravia is the Head of Cato AI Labs, which was formerly the research department of Aim Security. A vulnerability and AI researcher, Itay's favorite pastime is breaking things to find out how to fix them. Itay is a Talpiot alumnus, formerly Director of Research in Unit 8200, and a recipient of the Israel Defense Award. As part of his roles, Itay has mentored up and coming security professionals and delivered talks on multiple technical subjects, including "traditional" vulnerability research, AI research in the context of life sciences, and AI agents.

Read More