Researchers at Cato Networks have disclosed two critical vulnerabilities in the Cursor AI code editor that can be chained or exploited independently to achieve remote code execution (RCE) outside the IDE’s sandbox. Tracked as CVE-2026-50548 and CVE-2026-50549, both carry a CVSS score of 9.8 and are grouped under the name DuneSlide.

How the Vulnerabilities Work

Both flaws abuse Cursor’s automatic terminal command execution inside the sandbox, a feature that runs commands without prompting the user for approval. An attacker can trigger exploitation by convincing a user to ingest an attacker-controlled payload through the IDE’s prompt interface.

CVE-2026-50548 targets the sandbox’s boundary enforcement. Normally, command execution is restricted to the current working directory. However, when a non-default value is assigned to the working_directory parameter, that path is added to the sandbox’s allow list. An attacker can craft a malicious MCP server request that injects a prompt instructing the underlying language model to set the working directory to an arbitrary, attacker-supplied path outside the project scope. From there, the attacker can overwrite the cursorsandbox executable itself, causing all subsequent commands within the same prompt injection session to run without any sandbox restrictions.

CVE-2026-50549 is an independent flaw affecting the IDE’s file path resolution logic. It can be exploited using symbolic links to bypass out-of-bounds write protections. An attacker injects a prompt that instructs Cursor to create a symlink within the project directory pointing to a file outside it. A flaw in the agent’s path canonicalization logic causes Cursor to fall back to using the original symlink path rather than its resolved target when verifying directory boundaries. This allows an attacker to create a write-only symlink pointing back to the cursorsandbox executable, once again enabling unsandboxed execution.

Scope and Patch Status

Cato reported both vulnerabilities to the Cursor development team in February. Patches for both issues were shipped in Cursor 3.0, released on April 2. CVE identifiers were assigned in early June.

Security teams using Cursor in development environments should confirm they are running version 3.0 or later. Given that exploitation requires a user to process attacker-controlled content through the IDE’s prompt interface, organizations should also reinforce guidance around ingesting untrusted files or prompts in AI-assisted development workflows.