DuneSlide (CVE-2026-50548 / CVE-2026-50549): Zero-Click Prompt Injection Escapes Cursor’s Sandbox and Runs Arbitrary Code on Fortune 500 Developer Machines — No User Interaction Required

PATCH IMMEDIATELY — Cursor 3.0: Both vulnerabilities are patched in Cursor 3.0, released April 2, 2026. Every version before 3.0 is vulnerable. Update via Cursor → Help → Check for Updates. Verify your version is 3.0 or later before opening Cursor against any project that uses MCP server connections or performs web searches via the agent.

If you cannot update immediately: (1) Disable all MCP server connections in Cursor settings until you can update. (2) Do not use Cursor’s agent to perform web searches against unfamiliar domains. (3) Audit /Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox — if this binary has been modified unexpectedly, treat the machine as compromised. (4) Review ~/.zshrc, ~/Library/LaunchAgents/, and MCP config at ~/.cursor/mcp.json for unexpected modifications.
Developer coding terminal representing DuneSlide CVE-2026-50548 CVE-2026-50549 Cursor IDE sandbox escape prompt injection Fortune 500 2026
The developer made a normal prompt. The agent read an MCP server response. The sandbox binary was overwritten. No click. No approval box. Full machine. | DataWater Threat Brief, July 2, 2026

Sources: Cato AI Labs primary research — “DuneSlide: Two Critical RCE Vulnerabilities via Zero-Click Prompt Injection in Cursor IDE” · The Hacker News · CSO Online · CybersecurityNews · GBHackers · Cyberpress · Let’s Data Science · OffSeq Threat Radar | CVEs: CVE-2026-50548 · CVE-2026-50549 | Name: DuneSlide | Discovered by: Cato AI Labs | CVSS 3.1: 9.8 (Critical) | Affected tool: Cursor IDE — all versions before 3.0 | User base: 50%+ of the Fortune 500 | SpaceX acquisition: $60 billion in stock | Attack type: Zero-click prompt injection → sandbox escape → unsandboxed RCE | User interaction required: None — only an innocuous prompt that ingests attacker-controlled content | Patched in: Cursor 3.0 — April 2, 2026 | In-the-wild exploitation: No confirmed cases prior to disclosure

The developer made a normal prompt. The agent read an MCP response. The sandbox binary was overwritten. No click. No approval box. Full machine.

On July 1, 2026, Cato AI Labs published the disclosure for DuneSlide — two critical remote code execution vulnerabilities in Cursor IDE, the AI-powered code editor that Cursor reports is used by more than half of the Fortune 500, and which SpaceX recently acquired for $60 billion in stock. Tracked as CVE-2026-50548 and CVE-2026-50549 and rated CVSS 9.8, the vulnerabilities enable a zero-click prompt injection attack that escapes Cursor’s terminal sandbox and runs arbitrary code on a developer’s machine with no user interaction required beyond a completely normal, innocuous prompt.

The attack does not require opening a malicious file. It does not require clicking a phishing link. It does not require approving a suspicious dialog. It requires only that Cursor’s AI agent, in the course of doing exactly what it was designed to do, reads content from an attacker-controlled source — an MCP server response, a poisoned web search result, a compromised API endpoint — while the developer is using the tool normally. The injected instructions in that content then manipulate Cursor’s sandbox logic, overwrite the sandbox binary itself, and subsequent commands run entirely uncontained on the host machine and connected SaaS workspaces.

Cato AI Labs closes their disclosure with a finding that extends the impact well beyond Cursor: “Cato AI Labs is in the process of responsibly disclosing vulnerabilities in all popular coding agents, highlighting that a more systemic approach to protection is required.” DuneSlide is not a Cursor-specific bug. It is a demonstration that the architectural pattern shared by all current agentic coding tools — an LLM that reads untrusted content, has access to developer secrets, and can execute terminal commands — is structurally vulnerable to this class of attack regardless of which sandbox implementation is in place.

FieldDetail
NameDuneSlide
CVEsCVE-2026-50548 · CVE-2026-50549
CVSS 3.19.8 (Critical) — 9.3 under CVSS 4.0
Discovered byCato AI Labs (Cato Networks)
DisclosedJuly 1, 2026
Reported to CursorFebruary 19, 2026
Initially rejected by CursorFebruary 23 — “threat model does not cover MCP server misuse”
Reopened and triagedFebruary 26 — after Cato escalated directly to security team
PatchedCursor 3.0 — April 2, 2026 (CVE-2026-50548) · June 1, 2026 (CVE-2026-50549)
CVE IDs assignedJune 5, 2026
Affected versionsAll Cursor versions before 3.0
User base50%+ of the Fortune 500 (Cursor’s own figure)
OwnerAcquired by SpaceX for $60 billion in stock
Attack typeZero-click prompt injection → sandbox escape → unsandboxed RCE
Entry pointMCP server response OR poisoned web search result — any untrusted content the agent reads
User interaction requiredNone — only a normal innocuous prompt that causes the agent to ingest attacker content
CVE-2026-50548 mechanismworking_directory parameter abuse → write to cursorsandbox binary → sandbox neutralized
CVE-2026-50549 mechanismsymlink canonicalization fallback abuse → write outside project root via unvalidated symlink
Post-exploitationFull machine compromise + connected SaaS workspace compromise
In-the-wild exploitationNo confirmed cases prior to disclosure
Cato’s broader findingSimilar flaws in all popular coding agents — disclosures ongoing

CVE-2026-50548: the working directory that wasn’t watching the door

Starting with the 2.x release line, Cursor introduced automatic terminal command execution inside a sandbox. When the AI agent issues a shell command, Cursor’s sandbox allows it to execute without a user-approval prompt — reducing friction for the developer — but restricts what the command can write to, limiting writes to the command’s working directory.

The vulnerability is in how that working directory is determined. working_directory is an optional parameter on Cursor’s run_terminal_cmd tool — and crucially, it is LLM-controlled. The AI agent sets this parameter based on the context of what it is doing. An injected instruction in attacker-controlled content — an MCP server response, a poisoned web search result — directs the agent to set working_directory to an attacker-chosen path outside the project root. When the agent does so, Cursor adds that path to the sandbox’s allowed-write list without further validation.

From there, the injected instruction directs the agent to overwrite the cursorsandbox binary itself: /Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox. Once that binary is replaced with an attacker-controlled version, all subsequent terminal commands in the same session run with no sandbox at all. Alternative targets include startup files like ~/.zshrc and LaunchAgent plists at ~/Library/LaunchAgents/ — both provide persistence that survives the current Cursor session and executes at next login.

As Cato’s writeup frames it precisely: “The exploit requires no prior user privileges or specific user interaction. It is triggered when a victim makes an innocuous prompt that inadvertently ingests a threat actor-controlled payload from an untrusted source, such as an MCP server or a web search result.”

CVE-2026-50549: the symlink the canonicalization check couldn’t follow

CVE-2026-50549 is an independent vulnerability in Cursor’s path resolution logic — specifically in how Cursor validates whether a write target is inside the project directory before allowing it.

Cursor resolves symlinks (shortcuts) to verify that the real destination of a write sits inside the project root. This check is the security boundary. The vulnerability is the fallback behavior when that check fails: when the canonicalization step cannot determine the real path — because the target does not exist yet, or because the attacker has removed read access from a directory in the path — Cursor gives up and trusts the symlink’s stated in-project path instead of blocking the write.

An injected instruction directs the agent to create a symlink inside the project directory pointing to an external system file. When Cursor’s canonicalization step fails on that symlink — by design, because the target has been made temporarily unresolvable — Cursor falls back to trusting the unvalidated symlink path. The agent then writes to the external system file through the symlink, achieving the same sandbox escape outcome as CVE-2026-50548 through a completely independent code path.

The significance of having two independent paths to the same outcome: patching one does not protect against the other, and any future patch to one creates no false assurance about the other. Both CVE-2026-50548 and CVE-2026-50549 were patched in Cursor 3.0, but their independence demonstrates that the underlying architectural problem — untrusted input controlling LLM-governed parameters that interact with system-level operations — is not addressed by fixing any single code path.

The initial rejection — and what it reveals about AI tool threat modeling

Cato AI Labs reported both vulnerabilities to Cursor on February 19, 2026. On February 23, Cursor rejected both reports. The stated justification: “Cursor’s threat model does not account for MCP server misuse even in cases where the MCP server itself is a standard, innocuous integration, like the official Linear.app workspace.”

This is a significant disclosure in its own right — more significant, arguably, than the technical details of the vulnerabilities themselves. Cursor’s threat model explicitly excluded MCP server-delivered prompt injection as an attack vector, even when the MCP server involved is an official, vetted integration used by enterprise customers. The threat model that governs the security design of an AI tool used by the majority of Fortune 500 companies did not consider that content flowing through a legitimate, enterprise-approved integration could carry malicious instructions.

Cato escalated directly to Cursor’s security team on February 26. The team reopened both reports and began triaging. This trajectory — initial rejection on threat model grounds, escalation, reopening — is the same pattern that preceded the Chaotic Eclipse / Microsoft Defender disclosure campaign DataWater covered yesterday in Article #37. The pattern has a name in the security research community: a vendor’s threat model failing to account for an attack class until a researcher demonstrates it is exploitable in production, at which point the fix is retroactive rather than architectural.

The history: DuneSlide is the fourth round of Cursor prompt injection exploits

DuneSlide is not the first demonstration that Cursor’s agent is vulnerable to prompt injection. The Hacker News documents the prior rounds, all from the same research lineage:

  • CurXecute (CVE-2025-54135, August 2025) — from Cato AI Labs when they operated as Aim Security. A planted Slack message rewrote Cursor’s ~/.cursor/mcp.json config and ran commands even after the user rejected the edit. Patched in Cursor 1.3.
  • MCPoison (CVE-2025-54136, 2025) — from Check Point Research. Gets an MCP config approved once, then quietly swaps in malicious commands with no second prompt. Exploits the approval-once model that many MCP integrations use.
  • CVE-2026-26268 (February 2026) — hid a booby-trapped Git hook in a repository that fired the moment the agent ran a Git command. Patched in Cursor 2.5.
  • DuneSlide (CVE-2026-50548 / CVE-2026-50549, July 2026) — escapes the sandbox that Cursor introduced in the 2.x line as its response to the earlier wave. Patched in Cursor 3.0.

The pattern across all four: each attack defeats a specific guardrail. Cursor adds a guardrail, the next attack defeats it. The guardrail addition → defeat cycle is what Cato AI Labs means by describing the problem as structural rather than a string of one-offs. No individual patch closes the underlying vulnerability: an LLM agent that reads untrusted content, has access to credentials and system resources, and executes commands will always be a prompt injection target unless the architecture constrains what untrusted content can influence in the command-execution path.

The structural implication: sandboxing is not sufficient for agentic tools

Cato AI Labs’ conclusion from DuneSlide is the most important finding in the disclosure, and it applies directly to every agentic coding tool currently in production use — Claude Code, GitHub Copilot Agent, Gemini CLI, Windsurf, and every equivalent:

“Together, these vulnerabilities show how prompt injection can reach beyond the LLM layer and expose classical vulnerabilities in code paths that were not traditionally considered part of the attack surface. These findings emphasize that mere sandboxing cannot secure autonomous coding agents when parameter validation is inadequate. Cato AI Labs is pushing for systemic, architecture-level solutions rather than isolated patches to secure AI-based development tools.”

The specific architectural recommendation implicit in their analysis: parameter validation for LLM-controlled tool parameters — particularly those that interact with the filesystem, network, or process execution — must treat LLM-provided values as untrusted inputs, applying the same sanitization and boundary enforcement that secure application code applies to user-supplied inputs. The LLM is not a trusted component. In an agentic system, the LLM is the new user-input layer, and everything it provides to downstream system calls must be treated accordingly.

This connects directly to DataWater’s Claude Code reverse shell coverage from July 1 — Mozilla 0DIN’s finding that Claude Code can be walked into opening a reverse shell through a DNS TXT record payload delivered via an error message in a clean repository. The 0DIN attack and DuneSlide exploit the same fundamental property: an agentic coding tool that treats content it reads as trusted context rather than as untrusted user input equivalent. The attack surface is the agent’s context window, not any specific implementation detail that a targeted patch can close.

What to do right now

  1. Update Cursor to version 3.0 or later immediately. Cursor → Help → Check for Updates. Both CVE-2026-50548 and CVE-2026-50549 are patched in 3.0. Every version before 3.0 is vulnerable — this applies regardless of what operating system you run Cursor on.
  2. Verify the cursorsandbox binary has not been modified. On macOS: check /Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox. Any unexpected modification of this binary indicates the machine should be treated as compromised.
  3. Audit recent changes to startup files. Review ~/.zshrc, ~/.bash_profile, ~/Library/LaunchAgents/, and ~/.cursor/mcp.json for any additions you don’t recognize — particularly if you have been running Cursor versions before 3.0 against projects with active MCP server connections.
  4. Audit all MCP server connections in Cursor. Every MCP server you connect to is a potential injection point. Audit your MCP connections and remove any that are not actively required. Treat MCP server responses as untrusted input — even official, enterprise-approved integrations like Linear.
  5. Rotate credentials if you were running a vulnerable version. If you were running Cursor before 3.0 with active MCP connections or web search capabilities, treat your environment secrets — API keys, cloud credentials, Git tokens — as potentially compromised and rotate them.
  6. Apply the same scrutiny to Claude Code, Copilot Agent, Gemini CLI, and every equivalent tool. Cato AI Labs states they are disclosing similar flaws in all popular coding agents. DuneSlide is the public face of a broader finding about the entire category. Assume every agentic coding tool with MCP connectivity and autonomous terminal execution has analogous architectural exposure until vendor-specific security reviews confirm otherwise.

Related DataWater Coverage

Sources and further reading


DataWater publishes daily cybersecurity intelligence for enterprise and government security leaders. Article #38 — July 2, 2026. Previous: Six Microsoft Defender Zero-Days in 90 Days (July 1) · Claude Code Reverse Shell — Mozilla 0DIN (July 1) · Device Code Phishing 37x Spike (June 29). Browse the full threat brief archive →

Similar Posts