
Two critical flaws have been found in Cursor, an AI-powered code editor. The flaws could let prompt injection escape the sandbox.
The issue is called DuneSlide. The two flaws are tracked as CVE-2026-50548 and CVE-2026-50549.
The risk is serious. An attacker could make commands run on a developer’s computer. In some cases, this can happen without an extra click from the user.
What Is Cursor?
Cursor is a code editor that uses AI to help developers. It can read code, suggest changes, and run terminal commands.
This makes development faster. However, it also creates new security risks.
If the AI reads malicious instructions from an outside source, those instructions may affect the agent. This is known as prompt injection.
Why These Flaws Matter
DuneSlide matters because it attacks the sandbox. The sandbox should limit what AI-run commands can do.
However, these flaws can bypass that limit. As a result, a command that should stay restricted may run outside the sandbox.
After that, the attacker may run commands with the user’s privileges. This can affect the developer’s machine and connected services.
How the Attack Works
The attack starts with prompt injection. The attacker does not need to type directly into the victim’s Cursor app.
Instead, the malicious instruction can be hidden in a source that the agent reads. This may include an MCP server, a web search result, or a connected service.
Then, the user asks a normal question. The agent reads the hidden instruction along with the normal content.
Because of this, the attack can be zero-click. The user does not need to click a bad link or approve a dangerous command.
CVE-2026-50548: Working Directory Abuse
The first flaw abuses the working directory parameter. This parameter is used when the agent runs a terminal command.
Normally, the command should run inside the project folder. However, the flaw can make another path appear trusted.
As a result, prompt injection can guide the agent to a location outside the project. The agent may then write files where it should not.
If an important sandbox helper file is overwritten, the sandbox can be disabled. Later commands may run without the same limits.
CVE-2026-50549: Symlink Issue
The second flaw involves symlinks. A symlink is a shortcut that points to another file location.
Cursor should check the real target before writing a file. This check is meant to keep file writes inside the workspace.
However, the check can fail in some cases. When it fails, Cursor may trust the original path that looks safe.
As a result, the agent may write outside the workspace through a symlink. This can lead to remote code execution.
Impact on Developers
The impact can be serious for developers. If the exploit works, attackers may run commands on the victim’s computer.
Also, connected services may be at risk. Many developers use their editor with cloud, Git, SaaS, and internal tools.
If the developer machine is compromised, the risk can spread. Repositories, tokens, and company workspaces may also be exposed.
Has It Been Exploited?
There is no sign that these flaws have been used in real attacks. The findings were published as security research.
Still, the risk remains high. Remote code execution issues need fast action.
This is especially true for AI coding tools. As more teams use them, flaws in these tools can have a wider impact.
Affected Versions
Cursor versions before 3.0 are affected. The fix is available in Cursor 3.0.
Because of this, users should update as soon as possible. Do not delay the update if Cursor is used for important work.
Companies should also check all developer devices. Make sure every endpoint runs a safe version.
Recommended Mitigation Steps
The main step is to update Cursor to version 3.0 or later. This is the safest way to fix the issue.
Also, limit what sources the AI agent can read. Do not connect the agent to untrusted MCP servers or unknown services.
Developers should be careful with features that run commands automatically. Review terminal access, tokens, and active integrations.
For companies, endpoint audits are also important. Teams should check for exposed tokens, risky config files, and unusual activity.
Key Takeaway
DuneSlide shows a new risk in AI coding tools. Prompt injection does not only affect AI responses.
In this case, prompt injection can help escape the sandbox. After that, commands may run on the developer’s computer.
For this reason, updating Cursor should be a priority. Beyond patching, security teams should also control AI agents, MCP access, and terminal permissions.
Source: https://thehackernews.com/2026/07/critical-cursor-flaws-could-let-prompt.html
