Researchers have discovered two vulnerabilities in the widely used Cursor AI-enabled integrated development environment (IDE) that can be exploited through prompt injection to achieve remote code execution (RCE).

The two flaws, tracked as CVE-2026-50548 and CVE-2026-50549, allow attackers to break out of Cursor’s command execution sandbox, the protective layer that’s supposed to prevent the internal AI agent from performing rogue actions on the underlying operating system.

“The exploit requires no prior user privileges or specific user interaction,” researchers from Cato Networks, who found the flaws, said in their report. “It is triggered when a victim makes an innocuous prompt that inadvertently ingests a threat actor-controlled payload from an untrusted source, such as an MCP server or a web search result.”

Cursor, which was recently acquired by SpaceX for $60 billion in stock, produces one of the most widely used AI-assisted coding tools used in the enterprise space. The two flaws were patched in version 3.0 of the Cursor IDE, which was released in April.

Native vulnerability in LLMs

Large Language Models (LLMs) are natively vulnerable to malicious instructions that could be hidden inside the content they process. This is particularly dangerous in the age of agentic AI, where LLMs are combined with a variety of tools, including browsers and APIs that allow them to access a variety of third-party public content, such as parsing web pages in search results and RSS feeds, code in repositories, comments in bug trackers, emails in users’ inboxes, and their documents.

Protecting AI tools from prompt injection is very hard, and usually involves a layered approach, including guardrails built into the model by the AI lab that created it, instructions in system prompts to treat certain content as passive data, supervisor models running on top of the LLMs that process data, traditional keyword filtering, context segmentation, granular access controls, adding humans back into the loop to approve sensitive operations and more.

AI-assisted IDEs like Cursor, as well as command line agentic coding harnesses, usually prompt the user for approval by default for every file modification or command they need to execute. But this is not practical for autonomous coding workflows, and quickly leads to approval fatigue.

Another way to address that issue is to run these autonomous workflows inside containers, virtualized environments, or sandboxes, so that if the agents execute malicious instructions due to rogue prompts injected in third-party data sources, the impact is limited. Cursor uses a command execution sandbox that by default limits file writes to the current project’s directory.

Logic flaws in the isolation layer

However, the Cato researchers discovered that the run_terminal_cmd tool supports a parameter called working_directory that allows overriding that default path programmatically.

“A prompt injection (served through an innocuous MCP server request, or a poisoned web result) can steer the LLM to set the working_directory to a threat actor-controlled path outside the project scope,” they explained.

By exploiting this oversight, attackers could overwrite the cursorsandbox executable itself from the application path, or could write malicious scripts to the shell configuration file which gets loaded every time the user executes a command, or to the system’s start-up folders such as ~/Library/LaunchAgents on macOS.

Separately, the researchers also found that attackers could instruct the Cursor agent to create a symbolic link (symlink) file inside the project directory, pointing to a file that resides outside of the directory.

“By default, the Cursor Agent attempts to canonicalize paths (resolving symlinks) to determine their true location and verify they are within the project root,” the researchers said. “The vulnerability occurs because the canonicalization logic contains a dangerous fallback: if canonicalization fails (for example, when the path doesn’t exist or if the path lacks read permissions on one of its directories), Cursor falls back to using the original symlink path inside the project directory.”

These two vulnerabilities, which Cato has dubbed DuneSlide, can allow complete compromise of the underlying operating system through executing code outside of the restricted Cursor sandbox. More than that, however, they show that prompt injection can be an attack vector for exploiting vulnerabilities in the software used to implement the AI agents.

Cursor is far from the only AI-powered IDE or coding harness, and, according to the researchers, not the only one that has such logic flaws in its isolation layers.

“Had these issues been singular cases of compromise via prompt injections, we might have attributed them to specific vulnerabilities,” they said. “Cato AI Labs, however, is in the process of responsibly disclosing vulnerabilities in all popular coding agents, highlighting that a more systemic approach to protection is required.”