---
title: "DuneSlide: Cursor's Sandbox Had Two Ways Out, and Prompt Injection Found Both"
date: 2026-07-03
tags: ["cursor","security","prompt-injection","mcp","vulnerabilities","sandbox-escape","claude-code"]
categories: ["AI Tools","Industry"]
summary: "Cato AI Labs disclosed DuneSlide — two CVSS 9.8 vulnerabilities (CVE-2026-50548, CVE-2026-50549) that let zero-click prompt injection escape Cursor's sandbox and achieve full remote code execution. Both bugs were patched in Cursor 3.0 back in April, but Cursor's security team initially rejected the report in February, citing threat-model limitations, before reopening it under escalation."
---


![DuneSlide: Cursor's Sandbox Had Two Ways Out, and Prompt Injection Found Both](/images/cursor-duneslide-rce-prompt-injection-sandbox-escape.png)

Cursor's sandbox is supposed to be the backstop: even if an attacker gets a malicious instruction in front of the agent, the agent's commands run inside a walled-off environment that can't touch the rest of your machine. Cato AI Labs just published research showing two independent ways to walk straight out of that wall — no exploit chain, no privilege escalation, no click required beyond the prompt the agent was already going to process. Both bugs are patched. Both were live, unpatched, and rated critical for months before that happened.

## Two Bugs, One Destination

Cato calls the pair **DuneSlide**: [CVE-2026-50548](https://nvd.nist.gov/vuln/detail/CVE-2026-50548) and [CVE-2026-50549](https://nvd.nist.gov/vuln/detail/CVE-2026-50549), both scored **CVSS 9.8**. They reach the same endpoint — overwriting the `cursorsandbox` binary itself, which turns every subsequent "sandboxed" command into an unsandboxed one — by two unrelated routes.

**CVE-2026-50548** abuses a parameter nobody thought to distrust. Cursor's `run_terminal_cmd` tool accepts an optional `working_directory` argument, and whatever path gets passed there is added to the sandbox's allowed-write list without further validation. The parameter exists for legitimate reasons — agents sometimes need to run a command from a subdirectory — but nothing stops the agent from setting it to somewhere outside the project entirely. If an attacker can get the agent to populate that field, they've just added an arbitrary write target to the sandbox's own permission list.

**CVE-2026-50549** is subtler. Before writing anywhere, Cursor tries to canonicalize the target path — resolve any symlinks — to confirm the real destination sits inside the project. The fallback logic is the bug: if canonicalization fails, because the target doesn't exist yet or the attacker has stripped read permission from a directory in the path, Cursor gives up and trusts the symlink's *apparent* in-project location instead of its real one. Point a symlink at `cursorsandbox` or a shell init file, break the canonicalization check on purpose, and the sandbox writes through the link as if it were a normal project file.

Neither bug requires the developer to do anything unusual. The attacker's payload arrives the way prompt injection always arrives now — planted in an MCP server's response, or in a web page the agent's search tool happens to pull back — and the agent, doing exactly what it's designed to do, acts on it. Cato's framing is the right one: "prompt injection can reach beyond the LLM layer and expose classical vulnerabilities in code paths that were not traditionally considered part of the attack surface."

## The Disclosure Timeline Is the Real Story

The technical chain is bad. The disclosure timeline is arguably worse, because it's a preview of how these reports get handled industry-wide.

Cato reported both issues to Cursor on **February 19, 2026**. Four days later, Cursor's security team rejected the report, citing "threat model limitations" — reasoning that appears to have excluded prompt-injection-driven parameter manipulation from what the sandbox was supposed to defend against. Cato escalated on **February 26**, the issues were reopened, and a fix for the `working_directory` bug landed in **Cursor 3.0** on **April 2**. The symlink fix shipped in that same 3.0 release, but Cato says the fix wasn't formally confirmed until **June 1** — a two-month gap between "patched" and "verified patched" for a 9.8. CVE numbers weren't assigned until **June 5**, and public disclosure didn't land until this week.

That's roughly four and a half months from first report to public writeup, with an initial rejection in the middle of it. Every version of Cursor before 3.0 was exploitable the entire time. This is the same pattern this blog flagged with [CVE-2026-26268 in May](/posts/cve-2026-26268-cursor-rce-ide-security-architecture/) — a git-hook sandbox escape that Anysphere patched in version 2.5 while publicly contesting the severity rating NVD assigned it. Two sandbox-escape RCEs, roughly ten weeks apart, both critical, both requiring outside researchers to push past an initial dismissive response before a fix shipped.

## Why the Sandbox Keeps Losing

The pattern across both incidents is the same one this blog keeps coming back to with [SymJack and TrustFall](/posts/symjack-trustfall-rce-ai-coding-agents/): a sandbox is a boundary defined by a threat model, and an agent that reads attacker-controlled content — an MCP response, a web result, a file in a cloned repo — is a mechanism for updating that threat model without anyone signing off on the update. DuneSlide's `working_directory` bug isn't a coding mistake in the traditional sense; it's a parameter that was reasonable to expose when the only thing that could set it was a trusted developer typing a command, and became a vulnerability the moment an LLM agent — steerable by anything it reads — got to populate it instead.

Cursor's initial "threat model limitations" rejection is the tell. It means the sandbox was designed against a model where the agent's own tool parameters were implicitly trusted, because historically nothing external could influence them. Prompt injection breaks that assumption everywhere it appears, and IDE-embedded agents that inherit full desktop-process privileges have the most surface for it to matter on: DuneSlide's blast radius extends to "connected SaaS workspaces," not just the local filesystem.

Claude Code's terminal-native model doesn't make this class of bug impossible — no agent that reads arbitrary files is immune to prompt injection, full stop. But a Bash tool call is a visible, auditable line in the session transcript subject to approval by default, not a silently-expanded write-list entry inside an opaque sandbox implementation. Anthropic's `sandbox.credentials` feature, shipped in the same window as DuneSlide's disclosure, is explicitly built around denying agent processes access to secrets and credential files regardless of what parameters get passed — a narrower, more auditable primitive than "trust this working directory unless proven otherwise."

## What to Actually Do

If you're running anything before Cursor 3.0, you've been exploitable since before the patch existed — update now, not on your next routine cycle. If you're already on 3.0 or later, DuneSlide itself is closed, but the pattern isn't: audit every tool definition in your agentic coding stack for parameters that accept a path, and ask whether an LLM populating that parameter from untrusted content could turn it into a write primitive. That question doesn't have a patch. It has to be asked fresh for every tool, in every agent, going forward.

---

**Sources:**
- [DuneSlide: Two Critical RCE Vulnerabilities via Zero-Click Prompt Injection in Cursor IDE — Cato Networks](https://www.catonetworks.com/blog/duneslide-two-critical-rce-vulnerabilities/)
- [Critical Cursor Flaws Could Let Prompt Injection Escape Sandbox and Run Commands — The Hacker News](https://thehackernews.com/2026/07/critical-cursor-flaws-could-let-prompt.html)
- [Cursor IDE Vulnerabilities Let Prompt Injection Escape the Sandbox — Latest Hacking News](https://latesthackingnews.com/2026/07/02/cursor-ide-vulnerabilities-sandbox-escape/)
- [Sandbox bypass flaws in Cursor IDE highlight prompt injection as an RCE vector — CSO Online](https://www.csoonline.com/article/4191923/sandbox-bypass-flaws-in-cursor-ide-highlight-prompt-injection-as-an-rce-vector.html)
- [Cursor IDE Critical RCE Flaws Let Attackers Overwrite System Files via Prompt Injection — CyberPress](https://cyberpress.org/cursor-ide-critical-rce-flaws/)

