DuneSlide (CVE-2026-50548 / CVE-2026-50549): Zero-Click Prompt Injection Escapes Cursor’s Sandbox and Runs Arbitrary Code on Fortune 500 Developer Machines — No User Interaction Required
If you cannot update immediately: (1) Disable all MCP server connections in Cursor settings until you can update. (2) Do not use Cursor’s agent to perform web searches against unfamiliar domains. (3) Audit
/Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox — if this binary has been modified unexpectedly, treat the machine as compromised. (4) Review ~/.zshrc, ~/Library/LaunchAgents/, and MCP config at ~/.cursor/mcp.json for unexpected modifications.Sources: Cato AI Labs primary research — “DuneSlide: Two Critical RCE Vulnerabilities via Zero-Click Prompt Injection in Cursor IDE” · The Hacker News · CSO Online · CybersecurityNews · GBHackers · Cyberpress · Let’s Data Science · OffSeq Threat Radar | CVEs: CVE-2026-50548 · CVE-2026-50549 | Name: DuneSlide | Discovered by: Cato AI Labs | CVSS 3.1: 9.8 (Critical) | Affected tool: Cursor IDE — all versions before 3.0 | User base: 50%+ of the Fortune 500 | SpaceX acquisition: $60 billion in stock | Attack type: Zero-click prompt injection → sandbox escape → unsandboxed RCE | User interaction required: None — only an innocuous prompt that ingests attacker-controlled content | Patched in: Cursor 3.0 — April 2, 2026 | In-the-wild exploitation: No confirmed cases prior to disclosure
The developer made a normal prompt. The agent read an MCP response. The sandbox binary was overwritten. No click. No approval box. Full machine.
On July 1, 2026, Cato AI Labs published the disclosure for DuneSlide — two critical remote code execution vulnerabilities in Cursor IDE, the AI-powered code editor that Cursor reports is used by more than half of the Fortune 500, and which SpaceX recently acquired for $60 billion in stock. Tracked as CVE-2026-50548 and CVE-2026-50549 and rated CVSS 9.8, the vulnerabilities enable a zero-click prompt injection attack that escapes Cursor’s terminal sandbox and runs arbitrary code on a developer’s machine with no user interaction required beyond a completely normal, innocuous prompt.
The attack does not require opening a malicious file. It does not require clicking a phishing link. It does not require approving a suspicious dialog. It requires only that Cursor’s AI agent, in the course of doing exactly what it was designed to do, reads content from an attacker-controlled source — an MCP server response, a poisoned web search result, a compromised API endpoint — while the developer is using the tool normally. The injected instructions in that content then manipulate Cursor’s sandbox logic, overwrite the sandbox binary itself, and subsequent commands run entirely uncontained on the host machine and connected SaaS workspaces.
Cato AI Labs closes their disclosure with a finding that extends the impact well beyond Cursor: “Cato AI Labs is in the process of responsibly disclosing vulnerabilities in all popular coding agents, highlighting that a more systemic approach to protection is required.” DuneSlide is not a Cursor-specific bug. It is a demonstration that the architectural pattern shared by all current agentic coding tools — an LLM that reads untrusted content, has access to developer secrets, and can execute terminal commands — is structurally vulnerable to this class of attack regardless of which sandbox implementation is in place.
| Field | Detail |
|---|---|
| Name | DuneSlide |
| CVEs | CVE-2026-50548 · CVE-2026-50549 |
| CVSS 3.1 | 9.8 (Critical) — 9.3 under CVSS 4.0 |
| Discovered by | Cato AI Labs (Cato Networks) |
| Disclosed | July 1, 2026 |
| Reported to Cursor | February 19, 2026 |
| Initially rejected by Cursor | February 23 — “threat model does not cover MCP server misuse” |
| Reopened and triaged | February 26 — after Cato escalated directly to security team |
| Patched | Cursor 3.0 — April 2, 2026 (CVE-2026-50548) · June 1, 2026 (CVE-2026-50549) |
| CVE IDs assigned | June 5, 2026 |
| Affected versions | All Cursor versions before 3.0 |
| User base | 50%+ of the Fortune 500 (Cursor’s own figure) |
| Owner | Acquired by SpaceX for $60 billion in stock |
| Attack type | Zero-click prompt injection → sandbox escape → unsandboxed RCE |
| Entry point | MCP server response OR poisoned web search result — any untrusted content the agent reads |
| User interaction required | None — only a normal innocuous prompt that causes the agent to ingest attacker content |
| CVE-2026-50548 mechanism | working_directory parameter abuse → write to cursorsandbox binary → sandbox neutralized |
| CVE-2026-50549 mechanism | symlink canonicalization fallback abuse → write outside project root via unvalidated symlink |
| Post-exploitation | Full machine compromise + connected SaaS workspace compromise |
| In-the-wild exploitation | No confirmed cases prior to disclosure |
| Cato’s broader finding | Similar flaws in all popular coding agents — disclosures ongoing |
CVE-2026-50548: the working directory that wasn’t watching the door
Starting with the 2.x release line, Cursor introduced automatic terminal command execution inside a sandbox. When the AI agent issues a shell command, Cursor’s sandbox allows it to execute without a user-approval prompt — reducing friction for the developer — but restricts what the command can write to, limiting writes to the command’s working directory.
The vulnerability is in how that working directory is determined. working_directory is an optional parameter on Cursor’s run_terminal_cmd tool — and crucially, it is LLM-controlled. The AI agent sets this parameter based on the context of what it is doing. An injected instruction in attacker-controlled content — an MCP server response, a poisoned web search result — directs the agent to set working_directory to an attacker-chosen path outside the project root. When the agent does so, Cursor adds that path to the sandbox’s allowed-write list without further validation.
From there, the injected instruction directs the agent to overwrite the cursorsandbox binary itself: /Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox. Once that binary is replaced with an attacker-controlled version, all subsequent terminal commands in the same session run with no sandbox at all. Alternative targets include startup files like ~/.zshrc and LaunchAgent plists at ~/Library/LaunchAgents/ — both provide persistence that survives the current Cursor session and executes at next login.
As Cato’s writeup frames it precisely: “The exploit requires no prior user privileges or specific user interaction. It is triggered when a victim makes an innocuous prompt that inadvertently ingests a threat actor-controlled payload from an untrusted source, such as an MCP server or a web search result.”
CVE-2026-50549: the symlink the canonicalization check couldn’t follow
CVE-2026-50549 is an independent vulnerability in Cursor’s path resolution logic — specifically in how Cursor validates whether a write target is inside the project directory before allowing it.
Cursor resolves symlinks (shortcuts) to verify that the real destination of a write sits inside the project root. This check is the security boundary. The vulnerability is the fallback behavior when that check fails: when the canonicalization step cannot determine the real path — because the target does not exist yet, or because the attacker has removed read access from a directory in the path — Cursor gives up and trusts the symlink’s stated in-project path instead of blocking the write.
An injected instruction directs the agent to create a symlink inside the project directory pointing to an external system file. When Cursor’s canonicalization step fails on that symlink — by design, because the target has been made temporarily unresolvable — Cursor falls back to trusting the unvalidated symlink path. The agent then writes to the external system file through the symlink, achieving the same sandbox escape outcome as CVE-2026-50548 through a completely independent code path.
The significance of having two independent paths to the same outcome: patching one does not protect against the other, and any future patch to one creates no false assurance about the other. Both CVE-2026-50548 and CVE-2026-50549 were patched in Cursor 3.0, but their independence demonstrates that the underlying architectural problem — untrusted input controlling LLM-governed parameters that interact with system-level operations — is not addressed by fixing any single code path.
The initial rejection — and what it reveals about AI tool threat modeling
Cato AI Labs reported both vulnerabilities to Cursor on February 19, 2026. On February 23, Cursor rejected both reports. The stated justification: “Cursor’s threat model does not account for MCP server misuse even in cases where the MCP server itself is a standard, innocuous integration, like the official Linear.app workspace.”
This is a significant disclosure in its own right — more significant, arguably, than the technical details of the vulnerabilities themselves. Cursor’s threat model explicitly excluded MCP server-delivered prompt injection as an attack vector, even when the MCP server involved is an official, vetted integration used by enterprise customers. The threat model that governs the security design of an AI tool used by the majority of Fortune 500 companies did not consider that content flowing through a legitimate, enterprise-approved integration could carry malicious instructions.
Cato escalated directly to Cursor’s security team on February 26. The team reopened both reports and began triaging. This trajectory — initial rejection on threat model grounds, escalation, reopening — is the same pattern that preceded the Chaotic Eclipse / Microsoft Defender disclosure campaign DataWater covered yesterday in Article #37. The pattern has a name in the security research community: a vendor’s threat model failing to account for an attack class until a researcher demonstrates it is exploitable in production, at which point the fix is retroactive rather than architectural.
The history: DuneSlide is the fourth round of Cursor prompt injection exploits
DuneSlide is not the first demonstration that Cursor’s agent is vulnerable to prompt injection. The Hacker News documents the prior rounds, all from the same research lineage:
- CurXecute (CVE-2025-54135, August 2025) — from Cato AI Labs when they operated as Aim Security. A planted Slack message rewrote Cursor’s
~/.cursor/mcp.jsonconfig and ran commands even after the user rejected the edit. Patched in Cursor 1.3. - MCPoison (CVE-2025-54136, 2025) — from Check Point Research. Gets an MCP config approved once, then quietly swaps in malicious commands with no second prompt. Exploits the approval-once model that many MCP integrations use.
- CVE-2026-26268 (February 2026) — hid a booby-trapped Git hook in a repository that fired the moment the agent ran a Git command. Patched in Cursor 2.5.
- DuneSlide (CVE-2026-50548 / CVE-2026-50549, July 2026) — escapes the sandbox that Cursor introduced in the 2.x line as its response to the earlier wave. Patched in Cursor 3.0.
The pattern across all four: each attack defeats a specific guardrail. Cursor adds a guardrail, the next attack defeats it. The guardrail addition → defeat cycle is what Cato AI Labs means by describing the problem as structural rather than a string of one-offs. No individual patch closes the underlying vulnerability: an LLM agent that reads untrusted content, has access to credentials and system resources, and executes commands will always be a prompt injection target unless the architecture constrains what untrusted content can influence in the command-execution path.
The structural implication: sandboxing is not sufficient for agentic tools
Cato AI Labs’ conclusion from DuneSlide is the most important finding in the disclosure, and it applies directly to every agentic coding tool currently in production use — Claude Code, GitHub Copilot Agent, Gemini CLI, Windsurf, and every equivalent:
“Together, these vulnerabilities show how prompt injection can reach beyond the LLM layer and expose classical vulnerabilities in code paths that were not traditionally considered part of the attack surface. These findings emphasize that mere sandboxing cannot secure autonomous coding agents when parameter validation is inadequate. Cato AI Labs is pushing for systemic, architecture-level solutions rather than isolated patches to secure AI-based development tools.”
The specific architectural recommendation implicit in their analysis: parameter validation for LLM-controlled tool parameters — particularly those that interact with the filesystem, network, or process execution — must treat LLM-provided values as untrusted inputs, applying the same sanitization and boundary enforcement that secure application code applies to user-supplied inputs. The LLM is not a trusted component. In an agentic system, the LLM is the new user-input layer, and everything it provides to downstream system calls must be treated accordingly.
This connects directly to DataWater’s Claude Code reverse shell coverage from July 1 — Mozilla 0DIN’s finding that Claude Code can be walked into opening a reverse shell through a DNS TXT record payload delivered via an error message in a clean repository. The 0DIN attack and DuneSlide exploit the same fundamental property: an agentic coding tool that treats content it reads as trusted context rather than as untrusted user input equivalent. The attack surface is the agent’s context window, not any specific implementation detail that a targeted patch can close.
What to do right now
- Update Cursor to version 3.0 or later immediately. Cursor → Help → Check for Updates. Both CVE-2026-50548 and CVE-2026-50549 are patched in 3.0. Every version before 3.0 is vulnerable — this applies regardless of what operating system you run Cursor on.
- Verify the cursorsandbox binary has not been modified. On macOS: check
/Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox. Any unexpected modification of this binary indicates the machine should be treated as compromised. - Audit recent changes to startup files. Review
~/.zshrc,~/.bash_profile,~/Library/LaunchAgents/, and~/.cursor/mcp.jsonfor any additions you don’t recognize — particularly if you have been running Cursor versions before 3.0 against projects with active MCP server connections. - Audit all MCP server connections in Cursor. Every MCP server you connect to is a potential injection point. Audit your MCP connections and remove any that are not actively required. Treat MCP server responses as untrusted input — even official, enterprise-approved integrations like Linear.
- Rotate credentials if you were running a vulnerable version. If you were running Cursor before 3.0 with active MCP connections or web search capabilities, treat your environment secrets — API keys, cloud credentials, Git tokens — as potentially compromised and rotate them.
- Apply the same scrutiny to Claude Code, Copilot Agent, Gemini CLI, and every equivalent tool. Cato AI Labs states they are disclosing similar flaws in all popular coding agents. DuneSlide is the public face of a broader finding about the entire category. Assume every agentic coding tool with MCP connectivity and autonomous terminal execution has analogous architectural exposure until vendor-specific security reviews confirm otherwise.
Related DataWater Coverage
- → Claude Code Reverse Shell — Mozilla 0DIN — Yesterday’s Article: Same Attack Class, Clean GitHub Repo, DNS TXT Payload, No Scanner Catches It
- → Claude Code Prompt Injection — Article #23 — June 8: CI/CD Secrets via Hidden HTML Comment, Safety Filters Bypassed
- → Cordyceps: CI/CD Supply Chain — The Pipeline DuneSlide’s Unsandboxed RCE Runs Inside
- → Six Microsoft Defender Zero-Days in 90 Days — The Same Vendor Threat-Model-Rejection Pattern That Preceded the DuneSlide Disclosure
- → White House AI Executive Order — The Policy Response to the AI Agentic Attack Surface DuneSlide Demonstrates
- → $1,000 AI Agent Finds 21 FFmpeg Zero-Days — AI as Vulnerability Finder: The Defensive Side of the Same Capability DuneSlide Weaponizes
- → Browse the full DataWater threat archive →
Sources and further reading
- Cato AI Labs — DuneSlide: Two Critical RCE Vulnerabilities via Zero-Click Prompt Injection in Cursor IDE (Primary Research)
- The Hacker News — Critical Cursor Flaws Could Let Prompt Injection Escape Sandbox and Run Commands
- CSO Online — Sandbox Bypass Flaws in Cursor IDE Highlight Prompt Injection as an RCE Vector
- CybersecurityNews — Critical Cursor IDE RCE Vulnerabilities Enable Prompt Injection in Zero-Click
- GBHackers — Critical Cursor IDE Flaws Let Attackers Execute Code via Zero-Click Prompt Injection
- Cyberpress — Critical Cursor IDE RCE Flaws Let Attackers Overwrite System Files via Prompt Injection
DataWater publishes daily cybersecurity intelligence for enterprise and government security leaders. Article #38 — July 2, 2026. Previous: Six Microsoft Defender Zero-Days in 90 Days (July 1) · Claude Code Reverse Shell — Mozilla 0DIN (July 1) · Device Code Phishing 37x Spike (June 29). Browse the full threat brief archive →
