DuneSlide Turns Cursor Prompts into Sandbox Escapes (CVE-2026-50548, CVE-2026-50549)

Key Takeaways

  • Researchers disclosed two critical Cursor IDE sandbox bypass flaws.
  • Both were assigned 9.8 CVSS scores and CVE identifiers.
  • Prompt injection could steer agents to write outside the workspace.
  • Successful exploitation enabled unsandboxed remote code execution.
  • Cursor fixed both vulnerabilities in version 3.0.

Summary

Researchers disclosed DuneSlide, a pair of critical Cursor IDE vulnerabilities that showed how indirect prompt injection can escape an AI coding agent sandbox and reach the underlying operating system. Cato reported that both issues received 9.8 CVSS scores and were assigned CVE-2026-50548 and CVE-2026-50549. The incident matters because it turns agentic coding assistance into a potential path for host compromise.

What We Know

On July 1, 2026, Cato AI Labs published technical research on two Cursor IDE flaws collectively named DuneSlide. CSO Online summarized the findings as sandbox bypass vulnerabilities that allow prompt injection to become a remote code execution vector. Cursor is an AI-assisted development environment that can execute agent terminal commands inside a sandbox, a control intended to limit what autonomous coding actions can modify on the host.

The first flaw, CVE-2026-50548, involved the working_directory parameter for terminal commands. NVD states that before version 3.0, Cursor granted sandbox write access to the command working directory, and a malicious agent could modify that parameter to include writable paths outside the intended workspace. The second flaw, CVE-2026-50549, involved symlink path resolution. When canonicalization failed, Cursor could fall back to the original in-workspace path and write through a link to an arbitrary external location. Both vulnerabilities were fixed in Cursor 3.0.

What Happened

DuneSlide combined an AI-specific failure mode with traditional software isolation flaws. The AI-specific issue was indirect prompt injection: a victim could make an ordinary request that caused Cursor to ingest attacker-controlled instructions from a poisoned MCP response, search result, or other untrusted source. The traditional security issue was insufficient enforcement of the sandbox boundary once the agent was convinced to perform file operations.

In CVE-2026-50548, a malicious prompt could steer the agent to set working_directory to a sensitive external location. NVD describes how this could enable writes outside the workspace under the user privileges and produce non-sandboxed remote code execution. In CVE-2026-50549, the agent could create a symlink inside the project that pointed outside the project and force canonicalization to fail. NVD notes that writing through the symlink could overwrite arbitrary external files without approval. In both cases, overwriting the cursorsandbox helper or shell startup locations could turn later commands into unsandboxed execution.

Why It Matters

DuneSlide is important because it shows that prompt injection is no longer limited to model output manipulation or data leakage. In agentic development tools, injected instructions can traverse into command execution, file writes, tool parameters, and local operating system behavior. That makes AI coding agents part of the software supply chain attack surface, not merely productivity assistants.

The affected assets are high value. Developer workstations often contain source code, credentials, build secrets, signing material, cloud access tokens, and direct paths into production environments. Even when no active exploitation is confirmed, a reliable sandbox bypass in a widely used AI coding environment creates serious exposure. The issue also reinforces a broader lesson for AI governance: approval prompts, command allowlists, and sandboxing are necessary controls, but they are not sufficient unless agent intent, tool parameters, file paths, and runtime behavior are continuously validated before execution.

PointGuard AI Perspective

DuneSlide is exactly the kind of incident that illustrates why autonomous coding agents need runtime control, not just developer prompts or static sandbox assumptions. PointGuard AI Agent Mission Control gives every agent a verifiable identity, validates actions before execution, and detects goal drift, risky file activity, out-of-scope actions, and anomalous behavior in real time. In a DuneSlide-style scenario, the key control point is the moment between agent intent and action: why is an agent changing execution context, writing outside the workspace, or touching sandbox helpers at all?

The PointGuard AI MCP Security Gateway adds another layer by governing agent-to-tool and agent-to-MCP interactions. If an MCP server, search result, or external tool output carries malicious instructions, the gateway can inspect retrieved content, apply tool-level authorization, validate arguments, and restrict downstream actions. AI runtime protection further enforces policy across prompts, responses, and tool content to stop indirect prompt injection, unsafe commands, and data exfiltration attempts before they influence execution.

The broader lesson is that AI coding environments require deterministic runtime enforcement at every layer: agent identity, intent validation, tool authorization, content inspection, and containment. Sandboxes reduce blast radius, but runtime governance determines whether a risky action should happen in the first place. Trustworthy AI adoption requires both.

Incident Scorecard Details

Total AISSI Score: 8.2/10

Criticality = 9, developer workstations can contain source code, credentials, build systems, and cloud access paths, AISSI weighting: 25%

Propagation = 9, the pattern can spread through MCP, web search, repositories, and agentic coding workflows across many environments, AISSI weighting: 20%

Exploitability = 7, public technical details and CVEs exist, with no confirmed widespread exploitation reported at publication, AISSI weighting: 15%

Supply Chain = 9, the risk depends on a widely used third-party AI coding tool and external content ingested into development workflows, AISSI weighting: 15%

Business Impact = 7, credible potential for severe compromise exists, but public reporting does not confirm broad exploitation or customer damage, AISSI weighting: 25%

Sources

PointGuard AI Resources

AI Security Severity Index (AISSI)

0/10

Threat Level

Criticality

9

Propagation

9

Exploitability

7

Supply Chain

9

Business Impact

7

Scoring Methodology

Category

Description

weight

Criticality

Importance and sensitivity of theaffected assets and data.

25%

PROPAGATION

How easily can the issue escalate or spread to other resources.

20%

EXPLOITABILITY

Is the threat actively being exploited or just lab demonstrated.

15%

SUPPLY CHAIN

Did the threat originate with orwas amplified by third-partyvendors.

15%

BUSINESS IMPACT

Operational, financial, andreputational consequences.

25%

Watch Incident Video

Subscribe for updates:

Subscribe

Ready to get started?

Our expert team can assess your needs, show you a live demo, and recommend a solution that will save you time and money.