Cato AI Labs disclosed two flaws, dubbed DuneSlide, that let injected instructions from untrusted content break out of Cursor IDE's command sandbox. One abused the LLM-controlled working-directory parameter of the run_terminal_cmd tool to write outside the project; the other exploited a symlink-resolution fallback that trusted an in-project path when validation failed. A poisoned web search result or MCP response could trigger the chain with no user interaction.
The two zero-click flaws (CVE-2026-50548 and CVE-2026-50549, CVSS 9.8) enabled overwriting system files and running commands with the developer's privileges; disclosed 2026-07-01.
Never letting the LLM widen the sandbox's allowed-write set, and failing closed on symlink-resolution errors, keeps injected instructions confined to the project directory.
Guardion enforces policy on every agent action inline — with visibility, tamper-evident evidence, and DLP for agents and MCPs.
Request a demo