
DuneSlide CVEs Enable Zero-Click MCP Prompt Injection to Disable Cursor Sandbox via Working Directory and Symlink Abuse
DuneSlide demonstrates repeatable prompt-injection paths that neutralize Cursor's sandbox through legitimate tool parameters and symlink handling. The pattern connects prior configuration-rewrite CVEs to direct command execution in widely deployed AI editors. Enterprises using pre-3.0 versions face immediate exposure via any MCP or search context.
Cato AI Labs disclosed the pair on February 19 after Cursor initially rejected the reports for falling outside its threat model covering standard MCP servers such as Linear. Reopened on February 26, both issues reached patched status in Cursor 3.0 on April 2. CVE-2026-50548 abuses the working_directory parameter to add arbitrary paths to the allowed-write list, while CVE-2026-50549 exploits symlink resolution fallback when read permissions are stripped from path components. Both converge on overwriting the sandbox binary itself.
Prior Cursor flaws including CurXecute (CVE-2025-54135) and MCPoison (CVE-2025-54136) followed identical patterns of poisoned context rewriting configuration files. The DuneSlide cases extend this to direct sandbox neutralization, exposing how AI coding platforms now aggregate untrusted external context at machine speed. More than half of Fortune 500 deployments ran vulnerable 2.x versions at disclosure.
NVD records and Cursor's own symlink advisory confirm no public exploitation as of June, yet the attack surface expands with every new MCP integration. Official statements continue to treat prompt injection as out-of-scope despite repeated demonstrations that MCP and web search inputs are treated as trusted. Independent verification of the CVEs shows consistent 9.8 scoring under CVSS 3.1 with available proof-of-concept paths.
Cursor 3.0 raises the baseline, but enterprises must audit all connected MCP servers and disable sandbox-optional workflows until broader input sanitization is enforced. Procurement records indicate rapid adoption without corresponding security reviews of the underlying agent tooling.
Cato Labs: At least two further MCP-derived sandbox CVEs affecting Cursor or competing AI editors disclosed before December 2026.
Sources (3)
- [1]Primary Source(https://thehackernews.com/2026/07/critical-cursor-flaws-could-let-prompt.html)
- [2]Supporting Source(https://nvd.nist.gov/vuln/detail/CVE-2026-50548)
- [3]Supporting Source(https://cursor.com/security/advisories)