Cato AI Labs has disclosed DuneSlide, a pair of critical vulnerabilities in Cursor, the AI-powered code editor now used inside more than half of the Fortune 500. Tracked as CVE-2026-50548 and CVE-2026-50549 and each rated 9.8 on CVSS, the flaws let an attacker escape Cursor’s sandbox and reach full, unsandboxed remote code execution on a developer’s machine, without the developer opening a malicious file, running an untrusted command, or clicking anything at all.
An attack that never touches the keyboard
DuneSlide is a zero-click prompt injection chain. The attacker never types into Cursor directly. Instead they plant instructions inside content the AI agent reads on the developer’s behalf, a page returned by a web search the agent performs, or data pulled from a connected service over the Model Context Protocol. The agent ingests that content as part of doing its job, and the injected instructions ride along, invisible to the developer, until they trigger a file write outside the sandbox boundary.
CVE-2026-50548 abuses the optional working_directory parameter on Cursor’s run_terminal_cmd tool. The sandbox is designed to permit writes into a command’s working folder, and when the agent sets that parameter to a non-default path, Cursor adds the path to its allowed-write list without further scrutiny. Injected instructions steer the agent to point that parameter at a system file instead of the project directory, in the worst case overwriting the sandbox helper binary itself, so that every command run afterward executes with no sandbox at all.
CVE-2026-50549 targets a safety check that is supposed to catch exactly this kind of trick. Before writing a file, Cursor resolves symbolic links to confirm the real destination sits inside the project. The bug is in the fallback: when that resolution fails, because the target does not exist yet or an attacker has stripped read access from a folder along the path, Cursor gives up and trusts the symlink’s apparent in-project location instead of the verified one.
A five-month disclosure fight
Cato reported the working-directory flaw to Cursor’s security team on 19 February. It was rejected on 23 February. Cato escalated both issues directly on 26 February, at which point they were reopened and properly triaged. The fix for CVE-2026-50548 shipped with Cursor 3.0 on 2 April. The fix for CVE-2026-50549 followed and was confirmed in place by 1 June. CVE identifiers were formally assigned on 5 June, more than three months after the first report. Every version of Cursor before 3.0 is affected.
This is Cato’s second RCE disclosure in Cursor this year, following an earlier finding dubbed CurXecute involving MCP auto-start behaviour. Two serious remote code execution chains in the same AI coding tool inside a matter of months is not a one-off implementation bug, it is a pattern in how these tools reason about sandbox boundaries when an autonomous agent, not a human, is the one deciding what to read and where to write.
Why European engineering teams should care
Agentic coding tools are moving from novelty to default tooling across European development organisations at speed, and most are being adopted the way browser extensions once were: installed for productivity, rarely inventoried, and almost never included in the same supply chain security review applied to open source dependencies or CI/CD pipelines. DuneSlide shows why that gap matters. The compromise vector is not a malicious package a developer chose to install, it is content the AI agent was always going to read as part of routine work, a search result, a connected ticketing system, an MCP server the team trusts.
What we recommend
- Inventory every AI-assisted IDE and coding agent in use across your engineering organisation, including tools adopted informally by individual developers
- Confirm every Cursor installation is on version 3.0 or later, and apply the same update discipline to other agentic coding tools with MCP or web-browsing capability
- Audit which MCP servers your teams connect to, and treat each connection as a trust boundary, not a convenience
- Extend existing supply chain and endpoint security policies to explicitly cover AI development tools, with the same rigour applied to browser and editor extensions
- Restrict agent tool permissions, particularly filesystem write scope and working directory overrides, wherever the platform allows it
If your organisation needs help assessing exposure to DuneSlide, building an inventory and governance process for AI coding tools, or extending your supply chain security programme to cover agentic development tooling, contact Excello Digital. We help European engineering teams adopt AI-assisted development without expanding their attack surface.
