// 1 CRITICAL · 2 CVE · 1 EXPLOIT IN THE LAST 24H
Two vulnerabilities in Cursor rated CVSS 9.8 allow sandbox escape and remote code execution without user interaction. The fix is available starting with version 3.0.

Cato AI Labs disclosed two critical vulnerabilities in Cursor on July 1, 2026. The AI coding agent is used by more than half of the Fortune 500. The flaws let a prompt-injection attack break out of the sandbox and run arbitrary commands on the developer's machine. Tracked as CVE-2026-50548 and CVE-2026-50549, both carry a CVSS score of 9.8 and require no victim interaction. According to Cato, Cursor initially rejected the report, reversing course after an escalation on February 26.

Key Takeaways
  • Two vulnerabilities, dubbed DuneSlide, affect all Cursor versions prior to 3.0, released April 2, 2026
  • CVE-2026-50549 exploits a canonicalization failure with a symlink fallback, classified as CWE-59 in the NVD record
  • CVE-2026-50548 abuses the working_directory parameter in run_terminal_cmd to add arbitrary paths to the allow-list
  • According to Cato, Cursor rejected the initial report on February 23, 2026, citing a threat model that excluded MCP server abuse

How the Attack Works: Two Bugs, One Goal

The DuneSlide mechanism unfolds in two distinct technical phases that converge on the same result: overwriting the cursorsandbox helper and disabling sandbox protection, followed by command execution with the legitimate user's privileges.

The first vulnerability, CVE-2026-50548, exploits the handling of the working_directory parameter in the run_terminal_cmd function. When the agent sets a non-standard path, Cursor adds that path to the authorized write list without further checks. The sandbox, designed to restrict operations to a defined working directory, is thus arbitrarily extended by the attacker through an apparently benign prompt.

The second, CVE-2026-50549, documented in the NVD record with identifier CVE-2026-50549 and classification CWE-59, exploits a path canonicalization defect. According to the official National Vulnerability Database description, "when canonicalization fails, the system falls back to the original path and writes without approval." The attacker creates a symlink inside the workspace that points outside it, forcing the check to fail and gaining write access to arbitrary locations.

Both techniques allow overwriting the sandbox helper binary. Once compromised, the helper executes commands outside the isolated environment, with the legitimate user's privileges.

Zero-Click, Zero Warning: The Deception of the "Benign" Prompt

The severity of the attack lies in the absence of warning signals for the victim. No click on a malicious link is required, nor any confirmation of approval dialogs.

"There is no click to fall for and no approval box to ignore" — Cato AI Labs, reported by The Hacker News

The only interaction needed is the insertion of a prompt the user perceives as legitimate, within the ordinary workflow with the AI agent. According to the disclosure documentation, this profile eliminates the traditional weak link in the security chain: human fallibility in recognizing social-engineering attempts.

The Governance of Refusal: February, April, and the Threat Model

According to the responsible-disclosure timeline, Cato AI Labs submitted the initial report on February 19, 2026. Cursor responded on February 23 with a rejection, reasoning that its threat model did not include MCP server abuse — the connection protocols between the AI agent and external services — as a relevant vector.

The case was reopened after the February 26 escalation. The fix was included in Cursor 3.0, released April 2, 2026, prior to the disclosure publication. Per the Cato/THN timeline, the CVEs were assigned on June 5, 2026, with final publication on July 1, 2026.

The initial rejection is not isolated in Cursor's context. The dossier documents a series of prior vulnerabilities with the same pattern: CVE-2025-54135 (CurXecute, CVSS 8.5), CVE-2025-54136 (MCPoison, CVSS 7.2), and CVE-2026-26268 (Git hook RCE). Each demonstrated that the interaction between prompt injection, sandbox, and system components can produce remote code execution.

What to Do Now

  • Update immediately to Cursor 3.0 or later, released April 2, 2026, which includes the fix for both vulnerabilities
  • Verify that developer workstations running Cursor are not on versions prior to 3.0

Limitations of This Analysis

This analysis is based primarily on the Cato AI Labs disclosure via The Hacker News, with NVD confirmation for CVE-2026-50549. Details on CVE-2026-50548 are not independently verified on NVD. No indications of in-the-wild exploitation are available at the time of publication.

The Timeline in Numbers

The interval between the initial report on February 19, 2026 and the fix release on April 2, 2026 measures roughly six weeks. The interval between the fix release and the disclosure publication on July 1, 2026 measures roughly three months. No data in the brief allows qualifying the fix timing as late or prompt relative to discovery.

According to analysts, the sequence of events shows how the vendor's risk classification can influence response prioritization. Cursor's change of position after the February 26 escalation suggests, in Cato's words, that the initial threat model had not anticipated the MCP server vector as relevant to sandbox security.

The DuneSlide case confirms a recurring pattern in Cursor vulnerabilities: the overlap between AI agent functionality and operating-system security controls creates attack surfaces where prompt injection becomes equivalent to code execution. The presence of more than half of the Fortune 500 in the user base, per Cursor's statement, amplifies the potential impact surface.

Sources: The Hacker News (primary Cato AI Labs disclosure); NVD – CVE-2026-50549 (official record with CVSS, CWE-59, CPE).

Information has been verified against cited sources and updated as of publication time.

Sources


Sources and references
  1. thehackernews.com
  2. bleepingcomputer.com
  3. nvd.nist.gov
  4. mintmcp.com
  5. penligent.ai
  6. csoonline.com
  7. microsoft.com
  8. cyberscoop.com