Two significant security vulnerabilities have been identified in the widely-used AI code editor Cursor, potentially allowing remote code execution on the host operating system, as reported by Cato Networks.
Understanding the DuneSlide Vulnerabilities
The security flaws, known as CVE-2026-50548 and CVE-2026-50549, have been collectively named DuneSlide. These vulnerabilities pose a high risk with a CVSS score of 9.8, indicating their potential to execute code outside the Integrated Development Environment (IDE)’s sandbox.
Cato Networks has highlighted that these weaknesses exploit Cursor’s automatic execution of terminal commands within its sandbox environment, which occurs without requiring user approval. This can be activated when the IDE processes a malicious payload provided by an attacker.
Exploiting Sandbox Boundaries
The first vulnerability pertains to the security boundaries of the sandbox. Ideally, command execution should be confined to the current working directory. However, if a non-standard value is set for the working_directory parameter, it may inadvertently allow the inclusion of paths outside the intended scope.
This breach enables a malicious actor to manipulate an MCP server request, directing the system to adjust the working directory to a path specified by the attacker, beyond the project’s intended scope. This could lead to overwriting the cursorsandbox executable, thereby bypassing sandbox restrictions for future commands, facilitating unrestricted remote code execution.
Path Resolution and Symbolic Links
Independently, the second vulnerability impacts the IDE’s handling of file path resolutions, particularly concerning symbolic links. An attacker might craft a prompt that directs Cursor to create a symbolic link within the project directory that points externally.
A flaw in Cursor’s path resolution logic could cause it to default to using the original symbolic link path rather than determining whether the destination is within project boundaries. This oversight allows threat actors to exploit symlinks, again targeting the cursorsandbox executable.
Cato Networks informed Cursor about these issues in February, resulting in patches being issued in the release of Cursor 3.0 on April 2. The CVE identifiers for these vulnerabilities were subsequently assigned in early June.
For more detailed insights, consider attending the AI Risk Summit at the Ritz-Carlton, Half Moon Bay.
