CyberSecurityBoardThreat Intel · CVEs · Products
Critical CVEs

Critical Cursor Flaws Enable Zero-Click Sandbox Escape via Prompt Injection

July 1, 2026

Two critical vulnerabilities in Cursor, an AI-powered code editor, allow prompt injection attacks to escape the editor’s safety sandbox and execute arbitrary commands on a developer’s machine without any user interaction. Discovered by Cato AI Labs and named DuneSlide, the flaws are tracked as CVE-2026-50548 and CVE-2026-50549, both rated 9.8 on the CVSS 3.1 scale (9.3 under CVSS 4.0).

The attack vector relies on prompt injection: an attacker plants malicious instructions within content the AI agent reads, such as through the Model Context Protocol (MCP) or web search results. When the developer issues a normal query, the hidden instructions are executed without requiring a click or approval, making it a zero-click exploit.

CVE-2026-50548 abuses the working_directory parameter in Cursor’s run_terminal_cmd tool. The sandbox permits writes to the working folder, and setting a non-default path adds that path to the allowed-write list. An attacker can overwrite the sandbox helper binary (e.g., on macOS, /Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox) or startup files like ~/.zshrc, disabling the sandbox for subsequent commands.

CVE-2026-50549 exploits a symlink resolution flaw. When Cursor checks if a write target is within the project directory, it resolves symlinks. If the check fails (e.g., target doesn’t exist or a folder in the path has restricted read access), Cursor trusts the shortcut’s in-project path. An attacker can create a symlink pointing outside the project, force the check to fail, and write to the sandbox helper.

Once the sandbox is neutralized, the attacker gains full control of the developer’s machine and any connected cloud or SaaS workspaces. Cursor 3.0, released April 2, 2026, patches both bugs. All versions before 3.0 are affected. Cato reported the issues on February 19, 2026; Cursor initially rejected them but later fixed them after escalation. There is no evidence of active exploitation in the wild.

This is the latest in a series of Cursor vulnerabilities involving prompt injection leading to code execution, including CurXecute (CVE-2025-54135), MCPoison (CVE-2025-54136), and CVE-2026-26268. Cato AI Labs argues the problem is structural, not a series of one-offs, and is disclosing similar flaws in other coding agents.

CVEs: CVE-2026-50548, CVE-2026-50549, CVE-2025-54135, CVE-2025-54136, CVE-2026-26268, CVE-2026-20245

Companies: Cato AI Labs, Cursor, Aim Security, Check Point Research, The Hacker News

Products: Cursor