Security researchers at Cato AI Labs have disclosed a pair of critical vulnerabilities in Cursor, a widely used AI-powered code editor, that can allow prompt injection attacks to escape the application’s safety sandbox and run arbitrary commands on an affected developer’s system. The vulnerability set has been named DuneSlide.

How the Attack Works

The two flaws, tracked as CVE-2026-50548 and CVE-2026-50549, require no user interaction beyond the developer encountering a crafted prompt. There is no suspicious link to click and no permission dialog to dismiss. A single, ordinary-looking prompt is sufficient to trigger the chain, break out of the editor’s sandbox, and execute commands with the privileges of the running process on the developer’s machine.

Both vulnerabilities carry CVSS scores of 9.8 (or 9.3 under alternate scoring), placing them firmly in the critical severity tier. The combination of a high score, zero required user interaction, and the privileged context in which code editors typically run makes these flaws particularly dangerous for development environments.

Why Developer Tools Are High-Value Targets

AI-assisted code editors such as Cursor have become common fixtures in software development workflows. They frequently operate with broad filesystem access and the ability to execute shell commands as part of their core functionality. An attacker who can manipulate the AI model’s context through injected prompts can potentially leverage those same permissions to exfiltrate source code, introduce malicious changes, or establish persistence on a developer’s workstation.

Prompt injection in agentic or editor-integrated AI systems represents a growing attack surface. Unlike traditional injection vulnerabilities, the “payload” here is natural language embedded in content the model is asked to process, such as a comment in a code file or text in a document opened within the editor.

Recommended Actions

  • Apply any patches or updated versions of Cursor as soon as they become available from the vendor.
  • Restrict the file system and shell execution permissions granted to AI editor processes where operationally feasible.
  • Treat untrusted third-party code, documents, and repositories as potentially hostile inputs when opened in AI-assisted editors.
  • Monitor for anomalous process spawning or outbound connections originating from editor processes.

Cato AI Labs identified and reported the DuneSlide vulnerabilities. Full technical details, including the specific mechanisms used to achieve sandbox escape, were disclosed alongside the CVE assignments.