system: OPERATIONAL
← back to all hacks
AGENTS CRITICAL NEW

DuneSlide: prompt injection escapes Cursor's terminal sandbox to RCE

Cato AI Labs disclosed two critical flaws in Cursor's auto-run sandbox on July 1, 2026. A single poisoned prompt overwrites the sandbox helper binary and turns a locked box into full code execution — zero click.

2026-07-02 // 7 min affects: cursor-2.x, cursor-<3.0, coding-agents

What is this?

On July 1, 2026, Cato AI Labs (Itay Ravia’s team, formerly Aim Security) published DuneSlide, a pair of critical remote-code-execution flaws in the Cursor AI code editor. Both are rated 9.8 (CVSS 3.1) and both do the same thing: they let a single, ordinary-looking prompt break out of Cursor’s terminal sandbox and run arbitrary commands on the developer’s machine. There is no click to fall for and no approval box to ignore — the researchers call it zero-click.

The entry point is prompt injection. The attacker never touches your Cursor. They plant instructions in something your agent reads on your behalf — a connected service reached over the Model Context Protocol (MCP), or a page returned by a web search — and those hidden instructions ride along with your innocent question. Cato reported both issues on February 19, 2026; they were patched in Cursor 3.0 (released April 2), and the vulnerability IDs were assigned on June 5. Every version before 3.0 is affected. Cursor’s maker says over half the Fortune 500 use the tool.

How it works

Starting in the 2.x line, Cursor runs the terminal commands its agent issues inside a sandbox by default, with no approval prompt — a deliberate design choice to avoid approval fatigue while keeping a stray instruction from wrecking the machine. DuneSlide is about getting out of that box. Both flaws follow the same shape: coax the agent into writing one file it should not be allowed to write, then use that write to switch the sandbox off. No payloads are reproduced here; the mechanism is described at the architectural level, per Cato’s write-up.

The first flaw abuses a tool parameter. Cursor’s sandbox grants write access to a command’s working directory, and that directory is an optional argument (working_directory) on the run_terminal_cmd tool. When the agent sets it to a non-default path, Cursor adds that path to the allowed-write list without question. Injected instructions can steer the agent to point it at a system file instead of the project — for example the sandbox helper binary itself (on macOS, /Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox). Overwrite that, and every later command runs with no sandbox at all. Shell startup files such as ~/.zshrc or ~/Library/LaunchAgents work as targets too.

The second flaw abuses a safety check. Before writing, Cursor resolves symlinks to confirm the real destination sits inside the project. The bug is the fallback: when canonicalization fails — because the target does not exist, or the attacker strips read permission from a directory in the path — Cursor gives up and trusts the symlink’s in-project path instead. An attacker creates a write-only symlink that points outside the project, forces the check to fail, and Cursor writes straight through it to the same sandbox helper. Same escape, different door.

The common lesson: in classical software a remote attacker cannot set your working directory or plant symlinks on your disk. In a coding agent, a prompt injection becomes the passageway to exactly those primitives.

Why it matters

Once the sandbox helper is neutralized, the next command runs as you. That is control of the developer’s machine plus any cloud or SaaS workspaces the editor is signed into — all from one harmless-looking prompt. There is no evidence of exploitation in the wild; Cato presents this as research, and the public record shows no known abuse as of disclosure.

The deeper point is where the vulnerability lives. The injection is the delivery mechanism, but the actual bugs are classical: unchecked trust in a tool parameter, and a broken path-canonicalization fallback. Prompt injection reached past the model layer and lit up code paths that were never considered part of the attack surface. This is also the latest in a run of Cursor sandbox-and-config escapes (CurXecute, MCPoison, and a booby-trapped Git-hook flaw earlier in 2026), each defeating a different guardrail. Cato says it is disclosing similar issues across other coding agents and argues the problem is structural, not a string of one-offs.

Defenses

  1. Update now. Upgrade every Cursor install to 3.0 or later; both flaws are fixed there and all prior versions are vulnerable. This is the single highest-value action.
  2. Treat agent-readable content as untrusted input. MCP connector responses and web-search results are attacker-controllable. Cursor’s original threat model explicitly did not cover misuse of a standard MCP server (even the official Linear integration) — do not inherit that assumption. Restrict which MCP servers an agent can reach, and prefer read-only or vetted connectors.
  3. Protect the trust boundary’s own artifacts. A sandbox is only as strong as the integrity of the binary that enforces it. Make sandbox helpers, agent config files, and shell startup files (~/.zshrc, ~/.zshenv, ~/Library/LaunchAgents) read-only or integrity-monitored so an out-of-bounds write is detectable even if a guardrail is bypassed.
  4. Keep a human in the loop for irreversible actions. Auto-run-without-approval trades safety for convenience. For agents operating on untrusted input, require confirmation on writes outside the project root and on any command touching application internals.
  5. Monitor for the escape, not just the injection. Endpoint telemetry that flags writes to application resource directories, new LaunchAgents, or edits to shell rc files will catch the post-injection stage of this class of attack regardless of the specific prompt used.
  6. Assume the pattern generalizes. Any agent that reads the open web and can execute commands shares this exposure. Inventory your coding-agent fleet and apply the same controls before the next disclosure lands.

Status

ItemReferenceDateNotes
DuneSlide disclosureCato AI Labs2026-07-01Two RCE flaws, CVSS 9.8 (3.1)
Working-directory flawCVE-2026-505482026-06-05 (ID assigned)working_directory added to allow-list without validation
Symlink-canonicalization flawCVE-2026-50549 / GHSA-3v8f-48vw-3mjx2026-06-05 (ID assigned)Fallback trusts in-project symlink path on canonicalization failure
Reported to CursorCato AI Labs2026-02-19Initially rejected 2026-02-23, re-opened after 2026-02-26 escalation
Fix shippedCursor 3.02026-04-02All versions before 3.0 affected
Exploitation in the wildNVD / Cato2026-07-01None known as of publication

The right framing is not “an AI editor had a bug.” It is that prompt injection is now a reliable way to reach classical vulnerabilities inside autonomous command-execution environments — and the fix for the injection layer does not fix the code paths it can reach. Patch to 3.0, then treat every input your agent reads as hostile.

Sources