Skip to content

Cursor IDE: Critical Sandbox Bypass via Prompt Injection

In brief: Prompt injection attacks can circumvent classic sandbox protection measures through AI-driven development tools, leading to local code execution.

Two security vulnerabilities in the AI-assisted development environment Cursor enabled attackers to bypass security mechanisms and execute malicious code with operating system privileges. The vulnerabilities were triggered through prompt injection attacks on the integrated language model.

Cato AI Labs discovered two vulnerabilities designated “DuneSlide” in Cursor and registered them with CVE identifications CVE-2026-50548 and CVE-2026-50549. Both vulnerabilities enabled attackers to circumvent Cursor’s integrated sandbox. The attack potential extended to manipulated files in the local file system as well as connected cloud services.

The first vulnerability lay in the processing of the working directory. Cursor relied on an optional parameter that defined the location for write operations. Attackers could influence this parameter through a manipulated AI input (prompt injection), thereby granting the sandbox write permissions to arbitrary directories outside the project. This enabled overwriting security-critical program files. The second vulnerability concerned the resolution of symbolic links (symlinks) in file paths. An error in this resolution logic caused Cursor to modify files outside the permitted area under certain conditions—this vulnerability was also triggerable via prompt injection.

The attack scenario differs fundamentally from classical security issues: while external attackers typically lack direct access to local file systems, AI-driven development tools independently perform security-sensitive operations such as file creation or command execution. When manipulated inputs are processed by the language model without additional validation, new attack vectors emerge on classical software vulnerabilities.

The Cursor team was informed of the vulnerabilities in February 2026. After initial rejection, the reports were later reassessed and security updates were released with Cursor 3.0. In June 2026, both vulnerabilities received their CVE numbers, confirming them as critical.

For the security architecture of AI-assisted development tools, this implies: In addition to securing language models, all classical software paths and interfaces that the model uses must be protected with equal care. Prompt injection attacks now extend beyond chatbot responses to full system compromise.


Source: www.it-daily.net · Published July 3, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.2.

Share on: