Critical Cursor Flaws Enable Zero-Click Sandbox Escape via Prompt Injection
Two critical vulnerabilities in Cursor, the AI-powered code editor used by more than half the Fortune 500, allow a single prompt-injected instruction to escape the application's built-in sandbox and execute arbitrary commands on a developer's machine. Tracked as CVE-2026-50548 and CVE-2026-50549 and disclosed by Cato AI Labs under the name DuneSlide, the flaws carry CVSS scores of 9.8 (v3.1) and 9.3 (v4.0). Both bugs are patched in Cursor 3.0, released April 2, 2026, and every earlier version remains vulnerable. The attack requires no user interaction—no malicious link to click, no approval prompt to bypass—making it effectively zero-click from the victim's perspective.
The exploit chain relies on prompt injection delivered through indirect channels such as a Model Context Protocol (MCP) server or a web-search result the agent reads on the user's behalf. Hidden instructions steer the Cursor agent to write a single file outside its permitted boundaries, then use that write to neutralize the sandbox itself. CVE-2026-50548 abuses the run_terminal_cmd tool's optional working_directory parameter: when set to a non-default path, Cursor automatically appends that path to its allow-list, letting an attacker overwrite the sandbox helper binary at /Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox on macOS, or shell startup files like ~/.zshrc. CVE-2026-50549 takes a different door—the same symlink-resolved path check Cursor performs before writing falls back to trusting the in-project path when resolution fails, allowing a crafted shortcut to redirect writes outside the project tree.
Once the sandbox helper is overwritten, every subsequent command the agent issues runs without restriction, inheriting the developer's full privileges and access to any cloud or SaaS workspace where the editor is authenticated. Cato AI Labs has framed the disclosure as research and reports no evidence of in-the-wild exploitation to date.
Organizations running Cursor should immediately verify they are on version 3.0 or later, audit agent-permitted MCP servers, and review their broader endpoint posture. Tools like our port scanner can help confirm no unauthorized listeners were left behind after a suspected incident, while a password checker and a privacy checkup are useful for assessing whether credentials cached in the editor's environment may have been exposed or reused across services.