At a glance: Logic errors in Cursor’s sandbox isolation enable prompt-injection attackers to achieve remote code execution without user interaction; patches have been available since April.
Researchers have discovered two critical security vulnerabilities in the widely used AI-powered IDE Cursor that lead to remote code execution via prompt injection. The vulnerabilities allow attackers to bypass the sandbox isolation designed to prevent AI agents from dangerous system access.
The two vulnerabilities CVE-2026-50548 and CVE-2026-50549 allow attackers to escape from Cursor’s command execution sandbox. The security research team at Cato Networks, which discovered the flaws, emphasizes: “The exploit requires no prior user privileges or specific user interaction.” Instead, it is triggered when a user makes a benign input that inadvertently picks up an attacker-controlled payload from an untrusted source – such as an MCP server or a web search result.
The problem lies in two logic flaws in the isolation layer: First, the `run_terminal_cmd` tool supports a `working_directory` parameter that allows the default path to be overridden programmatically. Through prompt injection, an attacker could cause the LLM to set this directory to a path outside the project directory – thus overwriting files like the `cursorsandbox` executable or writing malicious code to shell configuration files or system startup folders. Second, the researchers demonstrated that the Cursor agent can be made to create symbolic links (symlinks) that point to files outside the project directory. The canonicalization logic intended to resolve these links contains a dangerous fallback that undermines the check.
Following its recent acquisition by SpaceX for $60 billion in equity, Cursor has become one of the most dominant AI-powered development tools in the enterprise sector. The security vulnerabilities were already patched in version 3.0 of Cursor, released in April. The vulnerability underscores a fundamental dilemma: Large language models are inherently vulnerable to malware instructions embedded in their input – particularly critical in agentic AI scenarios where LLMs are connected to browsers, APIs, and access to web content, code repositories, emails, and user documents.
Protection against prompt injection typically requires multi-layered approaches: model-level guardrails, system instructions for treating content as passive data, supervisor models, keyword filtering, context segmentation, granular access control, and manual approvals. A frequently deployed solution is running autonomous workflows in containers or sandboxes – exactly what Cursor had implemented. That this isolation could be bypassed with relatively simple means demonstrates how important continuous security reviews of agentic tools are.
Source: www.csoonline.com · Published 2 July 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.2.