2026-07
Prompt Injection
Cursor (Anysphere)

DuneSlide flaws let prompt injection escape Cursor's sandbox for OS-level RCE

What happened

Cato AI Labs disclosed two flaws, dubbed DuneSlide, that let injected instructions from untrusted content break out of Cursor IDE's command sandbox. One abused the LLM-controlled working-directory parameter of the run_terminal_cmd tool to write outside the project; the other exploited a symlink-resolution fallback that trusted an in-project path when validation failed. A poisoned web search result or MCP response could trigger the chain with no user interaction.

Impact

The two zero-click flaws (CVE-2026-50548 and CVE-2026-50549, CVSS 9.8) enabled overwriting system files and running commands with the developer's privileges; disclosed 2026-07-01.

How this could have been prevented

Never letting the LLM widen the sandbox's allowed-write set, and failing closed on symlink-resolution errors, keeps injected instructions confined to the project directory.

Sources

More prompt injection incidents

Would runtime governance have caught this?

Guardion enforces policy on every agent action inline — with visibility, tamper-evident evidence, and DLP for agents and MCPs.

Request a demo