Cursor IDE's Sandbox Cracked by Prompt Injection — No User Interaction Required
Two logic flaws in Cursor's command execution sandbox let attackers escape the isolation layer and run code on the underlying OS. Patches landed in April. The researchers say Cursor isn't alone.

Cato Networks published findings this week on a pair of vulnerabilities in Cursor, the AI-assisted coding environment recently acquired by SpaceX for $60 billion in stock. The flaws — CVE-2026-50548 and CVE-2026-50549 — together enable remote code execution by breaking out of the sandbox Cursor uses to contain its internal AI agent. Cato is calling the exploit chain DuneSlide.
Neither CVE requires prior privileges. No specific user action triggers the exploit beyond the victim issuing a normal coding prompt that inadvertently pulls in an attacker-controlled payload — from a poisoned MCP server response or a tainted web search result, for instance.
The first flaw lives in Cursor's run_terminal_cmd tool. That tool accepts a working_directory parameter that overrides the sandbox's default path restriction, which is supposed to limit file writes to the active project directory. An injected prompt can steer the agent to set that parameter to an arbitrary attacker-controlled path. From there, an attacker can overwrite the cursorsandbox executable itself, plant malicious scripts in shell configuration files, or drop payloads into startup folders like ~/Library/LaunchAgents on macOS.
The second flaw is a canonicalization failure. Cursor's sandbox resolves symlinks to verify a file's true location falls inside the project root. When canonicalization fails — path doesn't exist, missing read permissions on an intermediate directory — the agent falls back to trusting the original symlink path. An attacker who creates a symlink inside the project directory pointing to a file outside it can exploit that fallback to escape the restriction entirely.
Both vulnerabilities were patched in Cursor version 3.0, released in April.
The broader concern here isn't Cursor specifically. Prompt injection has been a known theoretical risk in agentic AI systems for years. DuneSlide demonstrates it as a concrete exploitation vector against the software layer implementing the agent — not just the model. Agentic coding tools routinely parse web pages, code repositories, MCP responses, and other third-party content. Any of those surfaces can carry injected instructions.
Cato says it is conducting coordinated disclosure across other popular coding agents and has found similar isolation-layer weaknesses elsewhere. The researchers frame this as a systemic problem, not a Cursor-specific slip. The tooling ecosystem built around LLMs is, at present, catching up to an attack surface that prompt injection has already mapped.



