Close Menu
    What's Hot

    Sony’s PlayStation Puts a Nail in Physical Media’s Coffin

    Chinese energy stock triples in Asia’s biggest IPO this year

    3 conversations you are avoiding and how to start them

    Facebook X (Twitter) Instagram
    Trending
    • Sony’s PlayStation Puts a Nail in Physical Media’s Coffin
    • Chinese energy stock triples in Asia’s biggest IPO this year
    • 3 conversations you are avoiding and how to start them
    • The Key Ways Trump’s Financial Interests Intersect With Government Policy
    • Ruling on Trans Athletes Gave the G.O.P. a Win. Most Democrats Looked the Other Way.
    • After $18B IPO, Bending Spoons founder says success comes from minimizing luck
    • Americans prepare for most expensive July 4 celebration ever
    • Chanel Is Buying Charvet, the World’s Oldest Shirt Maker
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Critical Cursor Flaws Could Let Prompt Injection Escape Sandbox and Run Commands

    adminBy adminJuly 2, 2026No Comments4 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Critical Cursor Flaws Could Let Prompt Injection Escape Sandbox and Run Commands
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Swati KhandelwalJul 01, 2026AI Coding / Vulnerability

    Critical Cursor Flaws Could Let Prompt Injection Escape Sandbox and Run Commands

    Two flaws in Cursor, an AI code editor, could let a single, ordinary-looking prompt break out of the editor’s safety sandbox and run any command on a developer’s computer. There is no click to fall for and no approval box to ignore.

    Cato AI Labs found the pair and named them DuneSlide. They are tracked as CVE-2026-50548 and CVE-2026-50549, both rated 9.8 out of 10 (or 9.3 under the newer CVSS 4.0 scale).

    The fix is already out. Both bugs are patched in Cursor 3.0, released April 2, and every version before 3.0 is affected. Cursor’s maker says more than half the Fortune 500 use the tool, so if you run it, update now.

    What the sandbox was for, and how it broke

    Starting in the 2.x line, Cursor runs the terminal commands its AI agent issues inside a sandbox by default: a locked box that limits what those commands can touch, so a stray instruction cannot wreck the machine.

    DuneSlide is about getting out of that box. The way in is prompt injection. The attacker never types into your Cursor. They plant instructions inside something your agent reads on your behalf, such as a connected service through the Model Context Protocol (MCP) or a page returned by a web search.

    Cybersecurity

    You ask a normal question, the hidden instructions come along for the ride, and because it needs no click or approval from you, the attack is “zero-click.”

    Both flaws use the same trick: get the agent to write one file it should not be allowed to write, then use that write to turn the sandbox off.

    • CVE-2026-50548 abuses a setting. The sandbox permits writes into a command’s working folder, and that folder is an optional parameter, working_directory, on Cursor’s run_terminal_cmd tool. When the agent sets it to a non-default path, Cursor adds that path to the allowed-write list without question. Injected instructions point it at a system file instead of the project. Overwrite the sandbox helper itself (on macOS, /Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox), and later commands run with no sandbox at all. Startup files like ~/.zshrc work as targets too.
    • CVE-2026-50549 abuses a safety check. Before writing, Cursor resolves shortcuts (symlinks) to confirm the real destination sits inside your project. The bug is the fallback: when that check fails, because the target does not exist or the attacker removes read access from a folder in the path, Cursor gives up and trusts the shortcut’s in-project path instead. An attacker creates a shortcut that points outside the project, forces the check to fail, and Cursor writes straight through it to the same sandbox helper. Same escape, different door.

    Once the sandbox is neutralized, the next command runs as you. That means control of the developer’s machine, plus any cloud or SaaS workspaces the editor is signed into. It all follows from one harmless-looking prompt.

    There is no sign this has been used in real attacks. Cato presents it as research, not an active campaign, and the public vulnerability record shows no known exploitation as of publication.

    Cato reported both issues on February 19. By Cato’s account, Cursor rejected them four days later, saying its threat model did not cover misuse of MCP servers, even standard ones like the official Linear workspace.

    Cato escalated on February 26; Cursor reopened the reports, triaged them, and shipped both fixes in 3.0. The CVE IDs were assigned on June 5.

    Cybersecurity

    Cursor published its own advisory for the symlink bug, and its NVD record is live.

    Not the first, and probably not the last

    DuneSlide is the latest in a run of Cursor bugs that start with a poisoned prompt and end in code execution, each one defeating a different guardrail. The Hacker News covered the earlier rounds:

    • CurXecute (CVE-2025-54135, August 2025) came from the same team, then operating as Aim Security. A planted Slack message rewrote Cursor’s ~/.cursor/mcp.json config and ran commands even after the user rejected the edit. Fixed in 1.3.
    • MCPoison (CVE-2025-54136), from Check Point Research, lets an attacker get an MCP config approved once, then quietly swap in malicious commands with no second prompt.
    • CVE-2026-26268 (February 2026) hid a booby-trapped Git hook in a repository that fired the moment the agent ran a Git command. Patched in 2.5.

    The sandbox in the 2.x line was Cursor’s answer to that earlier wave. DuneSlide is about escaping the answer.

    Cato says it is disclosing similar flaws in other coding agents and argues the problem is structural rather than a string of one-offs.

    That leaves an open question for anyone shipping an agent that reads the open web: whether treating every input as hostile becomes the default, or stays a patch-by-patch scramble.

    Commands critical Cursor escape Flaws Injection prompt run sandbox
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleCan Companies Embrace A.I. Without Layoffs? This One Says It Is Trying to.
    Next Article Opinion | The World Has Failed the Uyghurs
    admin
    • Website

    Related Posts

    Adobe Patches 7 CVSS 10.0 Flaws in ColdFusion and Campaign Classic

    July 2, 2026

    VEIL#DROP Malware Chain Uses Blogger Platform to Deliver PureLogs Stealer

    July 2, 2026

    19-Year-Old Scattered Spider Suspect Extradited to Face U.S. Hacking Charges

    July 1, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Sony’s PlayStation Puts a Nail in Physical Media’s Coffin

    Chinese energy stock triples in Asia’s biggest IPO this year

    3 conversations you are avoiding and how to start them

    The Key Ways Trump’s Financial Interests Intersect With Government Policy

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by