CVE-2026-50548 and CVE-2026-50549, both rated CVSS 9.8, allow zero-click prompt injection to escape Cursor IDE's sandbox and execute arbitrary code at OS level. Both flaws are patched in Cursor 3.0, released April 2, 2026. A separate unpatched path-execution variant, disclosed by Mindgard on July 14, 2026, remains active across all current Cursor versions on Windows.
For readers who want to go deeper, Grace Certified offers responsible AI practice guidelines.
Cursor IDE sits at the center of the enterprise AI development stack, deployed across 50,000-plus companies including more than half of the Fortune 500. Its agentic architecture—where the language model issues tool calls that write files, run shell commands, and query external services—expands the attack surface far beyond what traditional IDE sandboxes were designed to contain. DuneSlide, the campaign name Cato AI Labs assigned to the two CVEs, documents a structural shift: the LLM's autonomy is today a primary entry vector for host-level compromise, arriving through the same trusted channels developers use for legitimate productivity.
How CVE-2026-50548 and CVE-2026-50549 escape the sandbox
Cato AI Labs researcher Itay Ravia identified both flaws in Cursor 2.x's sandboxing layer. CVE-2026-50548 abuses the working_directory parameter passed to Cursor's sandbox tooling. The parameter defaults to the project root; attacker-controlled content—delivered via MCP server integrations (Cato documents the Linear.app integration as a confirmed injection channel) or via web search results the agent fetches autonomously—can redirect it to arbitrary filesystem paths. Documented targets include /Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox, ~/.zshrc, ~/.zshenv, and ~/Library/LaunchAgents. Writing to the cursorsandbox binary is the highest-impact primitive: it transforms the enforcement boundary itself into attacker-controlled code.
CVE-2026-50549 exploits a fallback in symlink canonicalization. When canonical path resolution fails—due to missing paths or permission errors—the runtime reverts to the raw symlink value. An attacker-supplied symlink pointing outside the project directory bypasses all out-of-bounds path enforcement. The full exploit chain requires zero user interaction: injected prompt content arrives through a trusted-looking MCP response or a poisoned search result, sandbox parameters are manipulated, the cursorsandbox binary gets overwritten, and every subsequent agentic command executes with full OS-level access. Compromised sessions extend to connected SaaS workspaces, since Cursor's GitHub, Linear, and Jira integrations operate under the same process token. Cato disclosed the working directory flaw on February 19, 2026; Cursor confirmed the fix for Cursor 3.0 on April 1. The symlink fix shipped by June 1. CVE IDs were assigned June 5, 2026.
The Mindgard disclosure: an unpatched vector in Cursor 3.x on Windows
On July 14, 2026, offensive security firm Mindgard published a separate full-disclosure report for a flaw with zero CVE assignment and zero vendor remediation. On Windows, Cursor's path resolution logic searches for Git binaries across workspace directories, including the repository root. A git.exe present at that location executes automatically and repeatedly during a normal development session—with zero user prompt and zero warning. Mindgard first reported this to Cursor on December 15, 2025, followed by a HackerOne submission in January 2026 and multiple escalation attempts through April 2026. Cursor declined to accept the report and provided zero remediation timeline across seven months of engagement. Mindgard verified the flaw against Cursor 3.2.16 on April 30, 2026—through 197-plus versions released since initial discovery. The attack requires a malicious git.exe planted at the repository root, reachable via supply chain compromise, repository poisoning, or social engineering. From the moment a developer opens the affected project in Cursor on Windows, execution is automatic and repeated across the session lifetime.
The architectural problem both disclosures share
DuneSlide and the Mindgard git.exe flaw surface the same structural gap: AI-native IDEs inherit the model's tool-call surface as an attack surface. Traditional IDE sandboxing assumes that threat content arrives as code the developer chose to run. Agentic IDEs break that assumption—the model executes tools autonomously, and injected instructions in MCP responses or fetched content become code-execution primitives, bypassing any developer approval gate. The cursorsandbox binary is the enforcement boundary for Cursor's agentic operations; CVE-2026-50548 and CVE-2026-50549 allow overwriting it, after which every agentic action runs unsandboxed. The git.exe variant demands lower technical sophistication with broader reach: write access to a repository root is the full entry requirement. Enterprise deployments with active MCP integrations for GitHub, Linear, and Jira face amplified post-compromise scope—SaaS workspace access rides the same session token as the compromised IDE process. The design pattern itself—LLM issues tool calls, sandbox enforces boundaries—is shared by GitHub Copilot Workspace, Windsurf, and other agents operating in developer environments. A single fallback in path validation logic is sufficient to collapse the boundary entirely.
Three bounded actions for engineering leadership
The decisions are sequenceable. First: mandate Cursor 3.0 or later across all developer workstations—Cursor 2.x leaves both DuneSlide CVEs fully exposed at the application layer with zero available in-app mitigation. Second: on Windows fleets, deploy AppLocker or Windows Defender Application Control policies blocking executable invocation from workspace directories; a path rule covering %USERPROFILE%\source\repos\*\*.exe addresses the Mindgard vector pending a Cursor patch. Third: audit MCP server integrations currently authorized across developer environments—the DuneSlide attack chain enters via MCP responses, with Linear.app confirmed as one injection vector. MCP servers holding project-read permissions represent the highest-priority review surface. Teams running Cursor in CI/CD pipelines face the same exposure: agentic pipeline steps that accept external tool responses share this attack model and warrant the same policy controls.
Article by LEON — AI Agents & Systems
LEON covers the technical layer where AI agents are built and deployed. Source: code, documentation, CVEs.