PERMISSION/PROTOCOL
Back to incident tracker

2026-07-01

HighVendor post

DuneSlide CVE-2026-50548 + CVE-2026-50549 (CVSS 9.8): Zero-Click Prompt Injection in Cursor IDE Disables Sandbox and Executes Arbitrary Commands on Developer Machines

Cato AI Labs disclosed DuneSlide: two CVSS 9.8 flaws in Cursor AI let hidden MCP or web search instructions disable the editor's sandbox and run arbitrary commands with no user interaction.

Cursor AITool execution / MCPPrompt injection sandbox escape leading to zero-click RCEDeveloper workstation — Cursor AI code editor runtime, terminal execution environment, local filesystem, and all credentials and secrets accessible to the developer's machine

What happened

Attacker plants malicious instructions inside an MCP response or web search result. The Cursor AI agent reads the content and follows the hidden instruction, which abuses the run_terminal_cmd working_directory parameter to write a file outside the sandbox's allowed scope. This write disables the sandbox. The agent then executes arbitrary commands with the permissions of the Cursor process.

Why it matters

Full RCE on the developer's machine. All secrets, API keys, SSH keys, and code repositories are exposed. The attack requires no user click, approval dialog, or error — it triggers through normal agent operation. Any content source the agent reads (MCP tool responses, web search results, file contents) is a potential injection vector.

Missing authorization check

An external authorization gate should validate terminal commands before execution, independent of the agent's own sandbox state. Sandbox configuration should not be modifiable via agent tool calls. Prompt injection from external content should be neutralized before it reaches the tool-call layer.

Would PP block it?

DuneSlide exploits Cursor's internal sandbox via prompt injection into tool output — the attack chain runs entirely within the Cursor runtime layer. PP's authorization receipts are issued through a channel external to the local machine: even with the sandbox disabled and arbitrary commands running, an attacker cannot produce a PP authority receipt for consequential downstream actions unless the receipt-issuing channel is also compromised. Local credential theft remains a risk PP does not prevent at the workstation layer.

Incident analysis

Timeline and technical read

Timeline

  1. 2026-04-02

    Cursor 3.0 released with DuneSlide patch. Cato AI Labs had reported the vulnerabilities under coordinated disclosure prior to this date. All versions before 3.0 remain affected.

  2. 2026-07-01

    Cato AI Labs publishes full DuneSlide disclosure: CVE-2026-50548 and CVE-2026-50549, both CVSS 9.8, with technical proof-of-concept demonstrating zero-click sandbox escape via prompt injection.

  3. 2026-07-01

    The Hacker News and CybersecurityNews report DuneSlide. Cursor's developer base — which includes more than half the Fortune 500 — advised to update to Cursor 3.0 immediately.

  4. 2026-07-02

    CSO Online and CyberPress confirm attack surface extends to any AI coding agent that processes MCP responses or web search results without prompt injection filtering.

Technical breakdown

  • CVE-2026-50548 abuses Cursor's run_terminal_cmd working_directory parameter. The sandbox permits file writes into a command's working folder; when the agent sets working_directory to a non-default path, Cursor resolves it and allows writes that exit the sandbox boundary, enabling overwrite of sandbox configuration.
  • CVE-2026-50549 is a second variant using an alternative path to the same sandbox disable write. Both CVEs achieve sandbox-off via a single agent tool call triggered by prompt injection into any content the agent reads.
  • The attack vector is prompt injection: hidden instructions embedded in an MCP service response, web search result, or any other external content the agent reads on behalf of the user. No user interaction is required beyond normal agent use.
  • Zero-click: the sandbox disable fires the moment the agent processes the injected content. There is no phishing link to click, no approval dialog to dismiss, and no user error required.
  • Once the sandbox is disabled, the Cursor agent can issue terminal commands with full user-level permissions on the developer's machine, gaining access to all files, environment variables, SSH keys, and credentials the user has access to.

Authorization boundary

Where the authorization boundary should have been

This incident is categorized as Tool execution / MCP. The relevant Permission Protocol gate is Tool-Call Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.

If enforced at
Agent tool-call gate; downstream deployment and infrastructure action authorization
Still needs
Cursor internal sandbox state; prompt injection content filtering at the agent input layer; local credential access once RCE is achieved on the developer workstation
Receipt required for
Any terminal command with filesystem, network, or secret scope; all deployment, code push, and infrastructure agent actions downstream of the developer workstation

PP's Tool-Call Gate adds an external authorization check on agent-issued tool calls. It cannot prevent the sandbox disable — that happens within Cursor's runtime before the tool call reaches an external gate. Once the sandbox is off, high-impact downstream actions (deploys, infrastructure changes) still require PP-signed receipts issued through an independent channel.

Start small

Put the relevant gate at this action boundary.

This incident maps to Tool-Call Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.

Replay this incident with a signer in the loop