DEV Community

Hamza
Hamza

Posted on • Originally published at tekmag.thsite.top

Cursor DuneSlide: Critical RCE Flaws in the AI Code Editor (CVE-2026-50548 & CVE-2026-50549)

CodingSecurityTechnology

Cursor DuneSlide: Critical RCE Flaws in the AI Code Editor (CVE-2026-50548 & CVE-2026-50549)

By Hamza Chahid
July 15, 20263 Min Read

0

Two critical remote code execution vulnerabilities in Cursor IDE — tracked as CVE-2026-50548 and CVE-2026-50549 and collectively named DuneSlide — allow attackers to escape the editor’s agent sandbox with zero clicks through poisoned web results, malicious MCP servers, or crafted repository files. Every Cursor 2.x release is affected, and the bugs carry a CVSS 9.8 severity rating.

Disclosed on July 1, 2026 by Cato Networks’ Cato AI Labs, the DuneSlide vulnerabilities represent the fourth prompt-injection RCE class reported against Cursor since August 2025. Cursor is used by over 50% of Fortune 500 companies and has more than 7 million active users as of mid-2026. The bugs were silently patched in Cursor 3.0, released April 2, 2026, three months before public disclosure.

What Makes DuneSlide Different From Previous Cursor Bugs

Earlier issues like CurXecute, MCPoison, and the February 2026 Git-hook injection each required specific user actions or narrow conditions. DuneSlide is different: both vulnerabilities can be triggered without any user click or approval. An attacker only needs to place poisoned content where Cursor’s agent will ingest it — a compromised MCP server response, a search result from Cursor’s built-in web browsing, or a crafted file inside a repository the developer opens.

Microsoft documented prompt injection attacks as “shell-equivalent” in a May 2026 security advisory, and DuneSlide proves the point concretely. The attack surface is structural — Cato AI Labs has disclosed similar sandbox-escaping flaws in other AI coding agents, suggesting this is not a Cursor-specific problem but a design weakness across the category.

CVE-2026-50548: The working_directory Bypass

Cursor’s agent exposes a run_terminal_cmd tool that accepts an optional working_directory parameter, controlled entirely by the LLM. The sandbox is supposed to restrict file writes to within the project directory, but the validation never checks whether the resolved path stays inside the project root.

A poisoned prompt can instruct the agent to set working_directory to an out-of-project sensitive path. On macOS, the prime target is /Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox — overwriting this file with attacker-controlled content disables all subsequent sandbox enforcement, allowing full shell access in follow-up commands. Shell startup files like ~/.zshrc or ~/.bashrc are also reachable through the same mechanism.

CVE-2026-50549: The Symlink Resolution Fallback

Before writing a file, Cursor resolves symlinks to confirm the real path is inside the project directory. The flaw is in the fallback behavior: when resolution fails — because the target is missing, or read permissions have been removed — Cursor trusts the in-project symlink path anyway.

An attacker creates a symlink inside the repository pointing to an external file, then arranges for the resolution to fail. Cursor writes through the symlink to the attacker’s chosen destination, which can again be the sandbox helper binary, startup scripts, or any other writable OS location. The two CVEs can be chained for higher reliability.

What This Means for Cursor Users

If you are still on Cursor 2.x, update to version 3.0 or later immediately — the fix has been available since April 2, 2026. After updating, take these additional steps:

  • Audit your MCP servers. Any compromised or untrusted MCP endpoint can inject commands that trigger the sandbox escape. Remove servers you do not actively use.
  • Disable web search in agent mode if your workflow does not strictly need it. Poisoned search results are one of the three confirmed entry vectors.
  • Avoid opening untrusted repositories with Cursor’s agent features enabled. A malicious .cursor/rules file, README, or MCP configuration file inside a repo can trigger DuneSlide on clone or open.
  • For enterprise teams: enforce a minimum Cursor version via MDM, prefer dev containers or GitHub Codespaces for sensitive projects, and audit MCP server permissions at the organizational level.

The broader lesson is that prompt injection is no longer a theoretical nuisance — it is a practical code execution vector that demands the same security discipline as traditional remote code execution. Treat any data channel that reaches your coding agent (web content, MCP responses, file contents) as untrusted input, and sandbox accordingly.

References

  1. DuneSlide: Two Critical RCE Vulnerabilities — Cato AI Labs
  2. Critical Cursor Flaws Could Let Prompt Injection Escape Sandbox — The Hacker News
  3. Sandbox bypass flaws in Cursor IDE highlight prompt injection as an RCE vector — CSO Online
  4. Cursor DuneSlide: Prompt Injection RCE in CVE-2026-50548 — Byteiota
  5. DuneSlide: Two Critical Cursor Flaws — Apolo Cybersecurity

Facebook
Twitter
LinkedIn
WhatsApp
Threads
Telegram
Email

CopyCopied

Tags:

AI SecurityCursorCVE-2026-50548CVE-2026-50549DuneSlidePrompt InjectionRCE

Tags:

AI Security Cursor CVE-2026-50548 CVE-2026-50549 DuneSlide Prompt Injection RCE

Top comments (0)