← Incident Database
Tool Abuse / Excessive AgencyCritical
DuneSlide: zero-click prompt injection to OS-level RCE in Cursor (CVE-2026-50548, CVE-2026-50549)
July 2026 · Cursor AI code editor
What happened
Cato AI Labs disclosed DuneSlide, two critical vulnerabilities (CVE-2026-50548 and CVE-2026-50549, both CVSS 9.8) that turn zero-click prompt injection into full operating-system remote code execution in Cursor. An attacker plants instructions in something the agent reads on the user's behalf, such as a connected MCP server or a page returned by web search, with no typing from the user, then drives the agent to overwrite Cursor's sandbox helper and escape into unsandboxed execution. Both bugs let a threat actor run arbitrary code on the host and reach connected SaaS workspaces.
Root cause
Two sandbox-escape paths both ended in overwriting Cursor's cursorsandbox helper binary. CVE-2026-50548 abused the optional working_directory parameter on the run_terminal_cmd tool: when the agent set it to a non-default path, Cursor added that path to the sandbox allowed-write list without validation, letting the agent overwrite the helper. CVE-2026-50549 abused a path-canonicalization fallback: when canonicalization failed, Cursor reused the original symlink path, so a write-only symlink pointing at the same helper bypassed the out-of-bounds-write protection. In both cases the agent acted on untrusted injected instructions while holding write access it should not have had.
Fix / outcome
Patched in Cursor 3.0 (released April 2, 2026); every version before 3.0 is affected. Cato reported the working-directory bug on February 19, 2026, the symlink fix landed June 1, and both CVEs were assigned June 5. Upgrade to Cursor 3.0 or later, and treat MCP servers and web-search results as untrusted input to the agent.
Sources
Learn this attack class
This incident is an example of Tool Abuse / Excessive Agency. Read the guide, then try it hands-on in the Academy.