Critical Cursor Bugs Could Let Prompt Injection Break Out of Sandbox and Execute Commands
Researchers have disclosed two high-severity vulnerabilities in Cursor, an AI-assisted code editor, that could let a malicious prompt push the agent out of its sandbox and execute commands on a develo...
Researchers have disclosed two high-severity vulnerabilities in Cursor, an AI-assisted code editor, that could let a malicious prompt push the agent out of its sandbox and execute commands on a developer’s machine without any user click or approval.
The issues, collectively dubbed DuneSlide by Cato AI Labs, are tracked as CVE-2026-50548 and CVE-2026-50549. Both carry a CVSS score of 9.8 under the standard metric, indicating critical impact. Cursor has already issued a fix in version 3.0, and all earlier releases are considered affected.
How the attack works
Cursor’s sandbox was introduced to keep AI-generated terminal activity confined to limited locations on the system. According to the researchers, the flaws allow an attacker to manipulate the agent through prompt injection, where hidden instructions are embedded in content the editor processes from external sources such as web pages or connected services.
In one case, the agent can be tricked into writing to a path outside the intended project directory by changing the working directory used by Cursor’s terminal command tool. If that write lands on a sensitive file, such as the sandbox helper itself or a shell startup file, later commands may run without sandbox restrictions.
The second issue involves symlink handling. Cursor checks whether a target file is really inside the project before writing to it, but if that verification fails, the editor may fall back to trusting the shortcut’s apparent location. An attacker can exploit that behavior to redirect a write operation to a file outside the project and achieve the same sandbox escape.
Why it matters
Once the sandbox is disabled, subsequent terminal commands run with the user’s privileges. That could expose local files, credentials, and any connected cloud or SaaS accounts open in the editor.
- Cato says the issues were reported on February 19.
- The vendor initially declined the report, then reopened it after escalation.
- Cursor released a fix in version 3.0 on April 2.
- The CVE identifiers were assigned on June 5.
Cato noted that it has also found similar weaknesses in other AI coding tools, suggesting the risk is not limited to Cursor alone. No in-the-wild exploitation has been publicly reported.
