Recent findings have revealed two critical remote code execution (RCE) vulnerabilities within Cursor IDE, an AI-driven development environment widely adopted by over half of the Fortune 500 companies. These significant security flaws were uncovered by Cato AI Labs, highlighting potential risks for many leading businesses.
Details of the Vulnerabilities
Cato AI Labs identified the flaws, named ‘DuneSlide,’ which have been assigned the CVE identifiers CVE-2026-50548 and CVE-2026-50549, each carrying a severe CVSS score of 9.8. These vulnerabilities enable attackers to bypass Cursor’s sandboxing features entirely, posing a substantial security threat.
The vulnerabilities indicate that prompt injection attacks are not limited to altering the outputs of large language models (LLMs) but can also penetrate traditional code execution paths, previously not considered part of the attack surface.
Implications of Exploitation
If exploited, these vulnerabilities allow attackers to overwrite essential system files, such as the cursorsandbox binary. This action transforms previously sandboxed terminal commands into fully unsandboxed RCE, endangering both local systems and connected SaaS environments.
Remarkably, these vulnerabilities can be triggered without requiring any user privileges or interaction. A mere issuance of a seemingly harmless prompt that unintentionally incorporates content from an unreliable source, like an MCP server response or a compromised web search result, is sufficient.
Individual Vulnerability Analysis
Vulnerability CVE-2026-50548 arises from the manner in which Cursor’s sandbox permits write access to a command’s working directory. This flaw allows attackers, via prompt injection, to redirect the working directory to a path outside the project root, thus breaching security constraints.
CVE-2026-50549 involves a flaw in Cursor’s path resolution logic. It allows prompt injection to create symlinks leading to external files, which, if unchecked, can bypass write restrictions and enable privileged RCE activities without user interaction.
These findings emphasize that mere sandboxing cannot secure autonomous coding agents when parameter validation is inadequate. Cato AI Labs is pushing for systemic, architecture-level solutions rather than isolated patches to secure AI-based development tools.
The discoveries by Cato AI Labs underscore the critical need for enhanced security measures in AI-powered development environments. As such vulnerabilities continue to surface, securing these tools is paramount to maintaining safe operational environments for businesses worldwide.
