Skip to main content
Cursor's DuneSlide Flaws: Two Sandbox EscapesIncident
4 min readFor Security Engineers

Cursor's DuneSlide Flaws: Two Sandbox Escapes

What Happened

Cato AI Labs discovered two critical vulnerabilities in Cursor, the AI code editor used by more than half the Fortune 500. Both flaws—CVE-2026-50548 and CVE-2026-50549, each rated 9.8 out of 10—allow prompt injection attacks to escape Cursor's sandbox and execute arbitrary commands on the host system. An attacker could craft malicious input that the AI model processes, breaking out of its intended constraints to run code directly on a developer's machine.

Cursor patched both vulnerabilities in version 3.0, released April 2. All previous versions remain vulnerable.

Timeline

Pre-April 2, 2025: All Cursor versions prior to 3.0 vulnerable to both CVE-2026-50548 and CVE-2026-50549

April 2, 2025: Cursor 3.0 released with patches for both vulnerabilities

Post-disclosure: Cato AI Labs publishes technical details of the DuneSlide attack vectors

If you're running Cursor in your development environment and haven't updated since April 2, you have a 9.8-severity vulnerability sitting in your IDE.

Which Controls Failed or Were Missing

The failures here are architectural, not operational:

Sandbox boundary enforcement failed. Cursor's sandbox was designed to isolate AI-generated operations from the host system. Both CVEs demonstrate that this boundary could be crossed through carefully crafted prompts. The sandbox didn't account for adversarial input to the AI model itself—it assumed the AI would respect the boundaries.

Input validation on AI prompts was absent or insufficient. There's no evidence that Cursor implemented robust input sanitization before feeding prompts to the underlying language model. Untrusted input must be treated as hostile.

Threat model didn't include the AI as an attack surface. The vulnerability exists because Cursor's security design didn't fully account for the AI component as a vector. Your threat model probably includes malicious dependencies and compromised credentials. Does it include "attacker manipulates AI through carefully crafted prompts"?

No runtime monitoring or anomaly detection for sandbox escape attempts. Even if the sandbox could be bypassed, runtime controls should detect when an AI-driven process attempts to execute commands outside its permitted scope. There's no indication such controls existed.

What the Standards Require

Map these failures to your compliance framework:

ISO/IEC 27001:2022 Control 8.25 (Secure development lifecycle) requires that security be integrated throughout the development process. That includes the tools you use to develop. If your developers are running an AI code editor, that editor is part of your development lifecycle and must meet the same security standards as your CI/CD pipeline or version control system.

NIST CSF v2.0 PR.DS-2 calls for data-in-transit and data-at-rest protection. But what about data-in-prompt? When your developers feed code, credentials, or proprietary logic into an AI tool, you're transmitting sensitive data to a system that processes it in ways you may not fully control. Prompt injection exploits that processing.

OWASP ASVS v4.0.3 Requirement 5.3.3 states: "Verify that the application sanitizes user input before passing to mail systems to protect against SMTP or IMAP injection." Extend this principle to AI systems. User input—whether from a developer typing a comment or from a file the AI reads—must be sanitized before the AI processes it.

PCI DSS v4.0.1 Requirement 6.2.4 mandates that you address common coding vulnerabilities. Prompt injection isn't in the traditional list, but the requirement's intent is clear: identify and mitigate vulnerabilities in the software you build and the tools you use to build it. If your payment application was developed using a vulnerable AI editor, you've introduced risk into a PCI environment.

SOC 2 Type II CC6.1 requires that your organization implements logical access controls, including restricting access to systems and data. An AI code editor that can execute arbitrary commands bypasses those controls. Your access policies mean nothing if a prompt can escalate privileges.

Lessons and Action Items for Your Team

Update Cursor immediately. If you're running any version before 3.0, upgrade now. This isn't a "schedule it for next sprint" situation—it's a 9.8 with a public disclosure and a patch available.

Inventory your AI tooling. You probably know which AI services your product uses. Do you know which AI tools your developers use? Cursor, GitHub Copilot, Tabnine, Cody—each one processes your source code. Build a registry of AI tools in use, who approved them, and who's responsible for keeping them patched.

Rewrite your threat model to include AI components. Add a new category: "AI-assisted processes." For each AI tool, ask:

  • What data does it see?
  • What actions can it take?
  • What happens if an attacker controls its input?
  • What's the blast radius if it's compromised?

Implement input controls for AI interactions. You can't sanitize prompts the way you sanitize SQL queries, but you can limit what the AI can access. Configure Cursor (and similar tools) to run with minimal permissions. Use separate environments for AI-assisted development—don't let your AI editor touch production credentials or sensitive customer data.

Monitor AI tool behavior. Set up logging for any AI tool that can execute code or access repositories. Alert on:

  • Attempts to access files outside the project directory
  • Execution of shell commands
  • Network requests to unexpected destinations
  • Changes to system configuration

Require security review for new AI tools. Your change management process probably covers new software deployments. Extend it to developer tools. Before your team adopts a new AI code assistant, your security team should review its architecture, permissions model, and update cadence.

Test your sandbox assumptions. If you're building AI-integrated features into your own product, don't assume your sandbox works. Hire someone to attempt prompt injection attacks. The DuneSlide vulnerabilities prove that even well-funded products with large user bases can miss these flaws.

The pattern is clear: we're bolting AI onto systems designed before prompt injection was a threat. Your existing controls—input validation, least privilege, sandboxing—still apply. You just need to apply them to a new attack surface.

CVE Details

Topics:Incident

You Might Also Like