Cursor DuneSlide: two critical sandbox escapes in the AI IDE (CVE-2026-50548 / -50549)
Two CVSS 9.3 flaws let a prompt-injected agent write outside Cursor's workspace and reach OS-level RCE. Patched in Cursor 3.0. Credit: Cato AI Labs.
Cursor, the AI-first code editor, shipped two critical sandbox escapes in June that let a prompt-injected agent write arbitrary files outside the workspace and reach OS-level code execution — no user click required beyond the initial "run this agent" prompt. Both are patched in Cursor 3.0; every version before 3.0 is affected. Cato AI Labs disclosed the pair; the researchers named the class DuneSlide.
- CVE-2026-50548 — sandbox escape via agent-controlled working directory. Primary advisory: GHSA-3p48-7v9f-v5cw. CVSS 4.0 = 9.3, CWE-22 (path traversal).
- CVE-2026-50549 — sandbox escape via symlink and failed path canonicalization. Primary advisory: GHSA-3v8f-48vw-3mjx. CVSS 4.0 = 9.3, CWE-59 (improper link resolution). Credit: Cato AI Labs and Maor Dokhanian.
Widespread press coverage started July 2. The GitHub advisories carry a June 5, 2026 publication date.
What the bugs are
Cursor runs agent-issued terminal commands inside a sandbox by default. The sandbox is what stands between an untrusted-input prompt injection — an MCP server response, a web page the agent read, a file the agent grepped — and the developer's filesystem. DuneSlide is two independent ways to break that boundary.
CVE-2026-50548 — agent-controlled working_directory. The sandbox trusts the working folder the agent picks for a shell command. A malicious agent can set working_directory to a sensitive location and write arbitrary files there under the user's privileges. The pivot in the vendor advisory: overwrite the sandbox helper itself. Once the helper is compromised, later commands run with no boundary at all.
CVE-2026-50549 — symlink + failed canonicalization. Before a write, Cursor canonicalizes the target path to confirm it lands inside the workspace. When canonicalization fails — because the target file is missing or read permission is stripped — the code falls back to the original path and writes without approval. An in-workspace symlink pointing outside the workspace, plus a forced canonicalization failure, is enough to write anywhere the user can.
Both quotes are from the GitHub Security Advisory text.
Affected
- Cursor < 3.0 on every platform (Desktop). Vendor advisories name the same version boundary for both CVEs.
- CLI and IDE integrations that inherit the same sandbox. Cursor's earlier advisory backlog (GHSA-x2vq-h6v6-jhc6 for the CLI in October 2025) shows the same sandbox surface has been the source of repeated escapes.
Exploitation status
- No in-the-wild reports at time of publication. Neither the vendor advisory nor the disclosing researchers cited active exploitation. CISA has not added either CVE to KEV.
- Trigger path is unauthenticated in the practitioner's sense of the term: the developer types a benign prompt; the agent, on its own, reads attacker content and obeys the hidden instructions in it. The victim's role is limited to "asked the agent to do something."
- PoC discussion is public. The GHSA text describes the primitive at a level a competent attacker could operationalize — arbitrary file write under the user's UID, with the sandbox helper as a documented pivot for full RCE.
Action checklist
- Upgrade to Cursor 3.0 or later on every developer workstation. Downgrade blocks: check
cursor --version; the update is mandatory, not opt-in, for the fix. - Inventory MCP servers your agents can reach. Prompt injection travels in MCP responses. Any MCP endpoint that ingests untrusted content (web search, ticketing systems, email, RSS) is an injection carrier. Prune to the ones you actually need; treat their outputs as attacker-controlled.
- Disable agent-driven web fetches by default for repositories with sensitive credentials on disk. Cursor's per-project settings let you turn off tool categories.
- Rotate anything the sandbox could have written to. SSH keys, cloud CLI tokens (
~/.aws/credentials,~/.config/gcloud,~/.kube/config), git credential helpers,.envrcfiles,.npmrcauth tokens. If you can't rule out that a compromised agent ran between June 5 and your upgrade, rotate. - Add file-integrity monitoring on the Cursor sandbox helper path on any workstation still on <3.0 during a phased rollout. Both CVEs pivot on overwriting the helper; a write to it from a Cursor process is the tell.
Context
DuneSlide is not the first Cursor sandbox escape, and the vendor's own security advisory listing reads like a pattern: GHSA-8pcm-8jpx-hv8r (Git hooks, February), GHSA-pc9j-3qc2-95wv (Claude hook configuration, May), and now the DuneSlide pair — three separate ways to escape the same sandbox in five months. The common thread is that the sandbox is trying to enforce a policy (writes stay inside the workspace) against an adversary who controls the exact inputs the policy check reads. Every time the check has a fallback path — trust the working directory the agent asked for, trust the original path when canonicalization fails, trust a hook script the agent installed — the fallback is the escape.
For teams running AI coding agents in enterprise environments, the operational takeaway is that the developer's workstation is now the same class of attack surface as the CI runner: an untrusted-input executor with credentials on disk. Treat it accordingly.