Cursor flaws let a poisoned prompt escape the AI coding sandbox and run commands
Researchers at Cato AI Labs detailed two flaws, dubbed DuneSlide, in the AI code editor Cursor that let a prompt-injection attack break out of the sandbox Cursor uses to contain the commands its agent runs. The attacker never types anything: they plant instructions in content the agent reads on the user's behalf, such as a connected MCP service or a web page. One flaw abuses a working-directory setting to get an attacker path added to the allowed-write list, letting injected commands overwrite the sandbox helper itself and then run with no sandbox. Both are rated 9.8 and are fixed in Cursor 3.0; every earlier version is affected, so users should update.
- Check
- Confirm Cursor is updated to 3.0 or later on developer machines, and review whether your AI coding agents can be steered by content they read from MCP servers, web pages, or repositories.
- Affected
- Developers running Cursor versions before 3.0 (CVE-2026-50548 and CVE-2026-50549); a prompt injection hidden in content the agent reads can escape the command sandbox and run arbitrary commands on the machine.
- Fix
- Update Cursor to 3.0 or later, keep the agent's command sandbox enabled, and treat everything an AI coding agent reads, from MCP tools to web pages, as potentially hostile rather than trusted.