DuneSlide
On February 19, 2026, Cato AI Labs reported two critical vulnerabilities in Cursor IDE to the vendor. Cursor rejected the report on February 23. Cato escalated on February 26. Cursor reopened the case and shipped a fix in version 3.0 on April 2. CVE identifiers were assigned on June 5. The pair was dubbed DuneSlide. Both carry CVSS 9.8 under v3.1 scoring and 9.3 under CVSS 4.0.
CVE-2026-50548: The Settings Abuse
Cursor's run_terminal_cmd tool accepts a working_directory parameter. The sandbox permits writes into a command's working folder — a reasonable default. But when an agent sets the working directory to a non-default path, Cursor adds that path to the allowed-write list without validation. An attacker who controls the prompt can set the working directory to the sandbox helper binary itself — on macOS, /Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox. Overwriting that binary neutralizes the sandbox. Every subsequent command runs unsandboxed.
The attack extends beyond the sandbox binary. Setting the working directory to the user's home folder and writing to startup files like ~/.zshrc achieves persistent code execution that survives Cursor restarts. The sandbox's own trust model — allowing writes in the working directory — becomes the attack vector.
CVE-2026-50549: The Symlink Bypass
Before writing a file, Cursor resolves symlinks to confirm the real destination sits inside the project workspace. But when that resolution fails — because the target does not exist, or because the attacker has removed read access from a folder in the path — Cursor falls back to trusting the symlink's apparent in-project path. An attacker creates a symlink inside the workspace that points outside it, engineers a condition where the resolution check fails, and Cursor writes through the symlink to an arbitrary location on disk.
Zero-Click Exploitation
Neither vulnerability requires user interaction beyond issuing a normal prompt. The attack chain works through prompt injection: an attacker plants hidden instructions in content the AI agent reads — an MCP server response, a poisoned web search result, a crafted code comment in a repository. The user asks an innocuous question. The agent ingests the malicious content. The prompt injection triggers the sandbox escape. The next command runs with the developer's full privileges.
Once the sandbox is neutralized, the attacker controls the developer's machine and every cloud or SaaS workspace the editor is authenticated to. This is not theoretical. The attack requires no user credentials, no deliberate interaction, and no security warning is displayed. Cato AI Labs demonstrated the full chain from benign prompt to arbitrary code execution.
The Broader Signal
More than half the Fortune 500 use Cursor. Every version before 3.0 — released April 2, 2026 — was vulnerable. The initial disclosure was rejected by the vendor, adding four days to the exposure window. CVE assignment took over three months from the fix date. The timeline is a case study in how AI tool vulnerabilities move through the disclosure pipeline.
DuneSlide joins a growing catalog of critical AI coding tool vulnerabilities. Claude Code carries 28 CVEs including two CVSS 10.0s. Gemini CLI had a CVSS 10.0. The pattern is consistent: AI agents need filesystem and shell access to function, and every sandbox designed to contain that access has been breached. The question for security teams is not whether their AI coding tools have sandbox escapes. It is whether they are running the patched version.


