Listen to this Post

Introduction:
Two critical vulnerabilities in Cursor, an AI-powered code editor trusted by over half the Fortune 500, could allow a single innocuous-looking prompt to break out of the editor’s security sandbox and execute arbitrary commands on a developer’s machine. Tracked as CVE-2026-50548 and CVE-2026-50549 and collectively dubbed “DuneSlide,” these zero-click prompt injection flaws require no user interaction—no click, no approval dialog—making them especially dangerous in modern AI-assisted development workflows where trust in LLM-generated commands is often implicit.
Learning Objectives:
- Understand how prompt injection can transcend the LLM layer to become a classic RCE vulnerability
- Learn the technical mechanics behind CVE-2026-50548 (working directory manipulation) and CVE-2026-50549 (symlink canonicalization failure)
- Master mitigation strategies, including immediate patching, MCP server hardening, and filesystem monitoring
- Understanding the Cursor Sandbox and the Attack Surface
Cursor 2.x introduced an automatic terminal command execution feature that runs AI-agent-generated commands inside a sandbox by default. This sandbox operates without prompting the user for approval—a design choice intended to prevent “approval fatigue” while still protecting against malicious commands. The sandbox constructs security boundaries using a seatbelt policy that restricts write access to the current working directory.
The attack vector is prompt injection. The attacker never types directly into your Cursor instance. Instead, they plant malicious instructions inside content that your AI agent reads on your behalf—such as data from a connected service through the Model Context Protocol (MCP) or a page returned by a web search. When you ask a normal question, the hidden instructions ride along, and because the entire process requires no click or approval, the attack is “zero-click”.
Step-by-step attack flow:
- Attacker poisons an MCP server response or web search result with hidden prompt injection instructions
- Developer asks Cursor a benign question that causes the agent to ingest the poisoned content
- Hidden instructions direct the agent to write a file it should not be allowed to write
4. That write operation disables the sandbox
- Subsequent commands run with the developer’s full privileges
2. CVE-2026-50548: Working Directory Parameter Manipulation
The first vulnerability stems from how the sandbox processes the `working_directory` parameter of the `run_terminal_cmd` tool. When a sandboxed command executes, Cursor builds a policy that allows writes into the current working directory. The flaw lies in the fact that `working_directory` is an optional parameter controlled by the LLM. When the agent assigns a non-default value to this parameter, that path is blindly added to the sandbox’s allowed-write list.
Step-by-step exploitation:
- Prompt injection steers the LLM to set `working_directory` to a threat actor-controlled path outside the project scope
- The sandbox blindly adds this external path to its allowed-write list
- The agent writes to the sandbox helper executable: on macOS, `/Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox`
4. With the sandbox helper overwritten, future commands run without sandbox restrictions - Other viable targets include
~/.zshrc,~/.zshenv, or `~/Library/LaunchAgents`
Verification command (macOS/Linux):
Check if you're running a vulnerable version cursor --version If output < 3.0, you're vulnerable Verify sandbox helper integrity (macOS) shasum -a 256 /Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox Monitor for unauthorized writes to critical files sudo fs_usage -w -f filesys | grep -E "cursorsandbox|.zshrc|.zshenv"
Windows equivalent (PowerShell):
Check Cursor version
cursor --version
Monitor file system for suspicious writes
Get-WinEvent -LogName Security | Where-Object { $_.Message -match "cursorsandbox" }
3. CVE-2026-50549: Symlink Canonicalization Failure
The second vulnerability exploits Cursor’s path validation logic. Before writing a file, Cursor resolves symbolic links (symlinks) to confirm the real destination sits inside the project directory. The bug is in the fallback mechanism: when that check fails—because the target does not exist or the attacker removes read access from a folder in the path—Cursor gives up and trusts the symlink’s claimed in-project path instead.
Step-by-step exploitation:
- Attacker creates a symlink inside the project that points outside the project to the sandbox helper
- Prompt injection forces the agent to write to that symlink
- Cursor’s canonicalization check fails (target doesn’t exist or path component lacks read permission)
- Cursor falls back to trusting the symlink’s original, unverified path
- The sandbox helper is overwritten, achieving the same escape as CVE-2026-50548
Symlink attack demonstration (Linux/macOS):
Create a malicious symlink pointing to the sandbox helper ln -s /Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox ./malicious-link Remove read permissions from a path component to force the fallback chmod 000 ./some-parent-dir Now any write to ./malicious-link will bypass validation
Detection command:
Find suspicious symlinks in your project that point outside the workspace
find . -type l -exec sh -c 'target=$(readlink -f "{}"); case "$target" in $(pwd)/) ;; ) echo "Suspicious symlink: {} -> $target";; esac' \;
4. The Disclosure Timeline and Vendor Response
Cato AI Labs reported both vulnerabilities to Cursor on February 19. Initially, Cursor rejected the reports four days later, arguing that its threat model did not cover misuse of MCP servers, “even standard ones like the official Linear workspace”. Cato escalated on February 26, and Cursor reopened the reports, triaged them, and shipped both fixes in version 3.0, released April 2. The CVE IDs were assigned on June 5. All versions before 3.0 are affected.
Why this matters for the industry:
This disclosure highlights a growing tension: vendors of AI-powered tools often define their threat models narrowly, excluding “misuse” of legitimate features like MCP integrations. However, as this case demonstrates, prompt injection can turn any data ingestion point into an RCE vector. The security industry must adapt its threat modeling to account for LLM-mediated attacks that exploit classical vulnerabilities in code paths not traditionally considered part of the attack surface.
5. Hardening and Mitigation Strategies
While patching to Cursor 3.0 is the primary mitigation, organizations should implement additional defenses:
Immediate actions:
- Update immediately: Upgrade to Cursor 3.0 or later
- Review MCP server configurations: Audit all connected MCP services and restrict them to trusted sources only
- Implement filesystem monitoring: Watch for unauthorized writes to
cursorsandbox, shell startup files, and launch agents
Linux/macOS monitoring script:
!/bin/bash
Monitor for sandbox helper tampering
while true; do
CURRENT_HASH=$(shasum -a 256 /Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox 2>/dev/null | awk '{print $1}')
if [ -1 "$KNOWN_GOOD_HASH" ] && [ "$CURRENT_HASH" != "$KNOWN_GOOD_HASH" ]; then
echo "ALERT: Sandbox helper hash mismatch!"
fi
sleep 60
done
Windows monitoring (PowerShell):
Calculate and compare file hash
$path = "C:\Program Files\Cursor\resources\helpers\cursorsandbox.exe"
$hash = (Get-FileHash -Path $path -Algorithm SHA256).Hash
if ($hash -1e $knownGoodHash) {
Write-Host "ALERT: Sandbox helper hash mismatch!"
}
Additional hardening measures:
- Network isolation: Run Cursor in a segmented environment with limited outbound access
- MCP server whitelisting: Explicitly allow only vetted MCP servers
- Prompt injection awareness: Train developers to recognize and report suspicious AI behavior
- Regular vulnerability scanning: Integrate CVE-2026-50548 and CVE-2026-50549 into your vulnerability management workflow
6. Historical Context: The CurXecute Precedent
DuneSlide is not the first time Cursor has faced prompt-injection-induced RCE. In August 2025, the same research team (then operating as Aim Security) discovered CurXecute, tracked as CVE-2025-54135. That vulnerability allowed attackers to plant instructions in Slack messages that rewrote Cursor’s MCP configuration file (~/.cursor/mcp.json), enabling command execution even when the user explicitly rejected the modification. It was patched in version 1.3.
Pattern recognition:
- CurXecute (CVE-2025-54135): Configuration file tampering via Slack message injection
- DuneSlide (CVE-2026-50548/50549): Sandbox escape via working directory and symlink manipulation
This pattern suggests that AI-powered development tools will continue to be prime targets for prompt injection attacks that exploit the gap between LLM reasoning and classical security controls. The attack surface is expanding as AI agents gain more capabilities—file writes, terminal execution, network access—and each new capability introduces new opportunities for sandbox escapes.
What Undercode Say:
- Zero-click is the new zero-day: The absence of user interaction makes these vulnerabilities exceptionally dangerous. In traditional security models, a user click or approval dialog serves as a last line of defense. DuneSlide eliminates that entirely, meaning a single poisoned search result or MCP response can compromise an entire development environment.
-
The AI threat model gap: Cursor’s initial rejection of these reports—claiming MCP server misuse was “out of scope”—reveals a fundamental disconnect between how vendors design AI tools and how attackers actually exploit them. Threat models must evolve to treat all data ingested by LLMs as potentially untrusted, regardless of the source.
-
Defense in depth for AI workflows: Patching is necessary but insufficient. Organizations must implement defense-in-depth strategies: filesystem monitoring, network segmentation, MCP server whitelisting, and developer training on prompt injection risks. The attack surface of AI-powered tools is simply too large for any single control to be effective.
-
The commoditization of prompt injection: As LLMs become more capable and more deeply integrated into development workflows, prompt injection is evolving from a theoretical concern to a practical RCE vector. Security teams must treat prompt injection with the same urgency as SQL injection or cross-site scripting—it’s now a primary attack surface, not an edge case.
-
Fortune 500 exposure: With over half the Fortune 500 using Cursor, the potential impact of these vulnerabilities cannot be overstated. A successful attack against a single developer could compromise proprietary source code, cloud credentials, and internal systems—a supply chain attack waiting to happen.
Prediction:
-
-1 Expect a wave of similar vulnerabilities in other AI-powered development tools over the next 12–18 months. The architectural pattern—LLM-controlled parameters, symlink validation, and sandbox escapes—is common across the category, and researchers will increasingly target these interfaces.
-
-1 The disclosure timeline (rejection, escalation, eventual patch) will become a template for future AI security incidents. Vendors will initially resist expanding their threat models, forcing researchers to escalate publicly before vulnerabilities are acknowledged.
-
+1 The Cursor team’s eventual willingness to patch both vulnerabilities, despite initial resistance, signals growing maturity in AI tool security. Other vendors will likely follow suit, incorporating prompt injection into their formal threat models.
-
+1 MCP and similar protocols will undergo significant security hardening. The DuneSlide vulnerabilities demonstrate that data from MCP servers cannot be trusted, leading to better authentication, input validation, and sandboxing for AI-agent data sources.
-
-1 Developer trust in AI coding assistants may erode if these vulnerabilities become exploited in the wild. While no active exploitation has been observed yet, the attack surface is too attractive for sophisticated threat actors to ignore indefinitely.
▶️ Related Video (80% Match):
https://www.youtube.com/watch?v=0bcLy_bBDKM
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Mohit Hackernews – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


