Cursor's default-on sandbox was the right call. When the 2.x line put the agent's terminal commands inside a locked box β refusing writes outside the project unless the user opts in β that was the security posture every AI code editor should ship. Two flaws in that wall, named DuneSlide by researchers at Cato AI Labs, prove it isn't permanent. Patches shipped in Cursor 3.0 on April 2, two and a half months before the public write-up on July 1, which is exactly how coordinated disclosure is supposed to look. The lesson isn't whether to trust the agent. It's what to do today, and what to add underneath.
The blast radius matters: more than half the Fortune 500 use Cursor, per its maker. A zero-click sandbox escape in that install base isn't a hobbyist problem β it's a patch-everything-on-every-laptop problem.
In the 2.x line, Cursor runs the AI agent's terminal commands inside a sandbox by default β a locked box that limits what those commands can touch. The point is simple: an agent that gets confused, misdirected by prompt injection, or just has a bad day cannot, by itself, rewrite your ~/.zshrc
or replace a system binary. The sandbox is the difference between "the agent did something dumb" and "the agent did something catastrophic." Most tools Cursor drives over the Model Context Protocol (MCP) inherit that sandbox by default, so the box is the assumption your workflow was built on.
DuneSlide is about walking out of that box.
[[DIAGRAM: attacker plants instructions β agent reads them via MCP tool result or web fetch β run_terminal_cmd
is called with a crafted working_directory
or a symlinked target β write lands outside the project β sandbox helper or shell startup file overwritten β next command runs with no sandbox]]
Two CVEs, both rated 9.8/10 on the CVSS 3.1 scale and 9.3 under CVSS 4.0. Both were patched in Cursor 3.0, released April 2. Every version before 3.0 is affected.
The attacker never types into your Cursor. They plant instructions in something your agent reads on your behalf β an MCP tool result, a web page returned by the built-in search, a README fetched through any connected service. You ask a normal question. The hidden instructions travel alongside the answer, and the agent follows them. There is no click to refuse, no approval box to ignore. Zero-click.
Both bugs use the same trick: get the agent to write one file it should not be allowed to write, then use that write to switch the sandbox off.
CVE-2026-50548 abuses a parameter. Cursor's run_terminal_cmd
accepts an optional working_directory
. The sandbox already permits writes inside that folder. When the agent β or injected instructions pointing at it β sets working_directory
to a non-default path, Cursor adds that path to the allowed-write list without asking. Aim it at a system file instead of the project β on macOS, /Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox
β overwrite the sandbox helper itself, and every later command runs with no sandbox at all. Startup files like ~/.zshrc
work as targets too: once rewritten, the next shell launch executes whatever the attacker left there.
CVE-2026-50549 abuses a safety check. Before writing, Cursor resolves symlinks to confirm the destination is what the user asked for. The published source at thehackernews.com cuts off mid-explanation on the exact bypass; the class is the same as 50548 β a check the model can be tricked into passing, a write that lands somewhere it shouldn't. Read the full disclosure before treating either CVE as fully understood.
A sandbox escape isn't theoretical damage. Once the sandbox is off:
~/.ssh
, ~/.aws/credentials
, browser cookies, the source for the project you're paid to write, secrets in .env
files you happened to be editing.Cursor's maker says more than half the Fortune 500 use the tool. Half the Fortune 500 has at least one developer with private keys, customer data, and a build pipeline on the same machine Cursor is installed on.
The patch is one download away. Every step below assumes you want Cursor installed at all; if you don't, uninstall it and stop here.
1. Update to Cursor 3.0 or later. Open Cursor β Cursor β About Cursor and read the version number. Anything before 3.0 is exposed to both CVEs. Use the in-app Check for Updates prompt β it serves the patched build β or reinstall from Cursor's official download page if a clean install is faster.
2. Lock the agent's write surface in the meantime. Even on 3.0, treat the sandbox as defence in depth, not the whole wall. Scope every MCP server you actually need:
// ~/.cursor/mcp.json
{
"mcpServers": {
"github": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-github"],
"env": { "GITHUB_TOKEN": "${env:GITHUB_TOKEN}" }
}
}
}
Disable MCP servers you aren't actively using. Untrusted MCP servers are how an attacker plants instructions your agent will read.
3. Don't run Cursor with sudo, ever. The sandbox assumes the user has limited privileges. If the agent has root, the sandbox is decoration.
4. Make startup files append-only. A symlinked or chmod'd ~/.zshrc
derails persistence even if a future CVE bypasses the sandbox again.
chattr +a ~/.zshrc
On macOS (APFS), chattr +a
doesn't apply β a less-privileged shell wrapper or a SIP-protected location is the practical equivalent. The point is the same: make the file your shell trusts the hardest file on the box to overwrite.
5. Treat every agent that touches the network as a browser. Web results, fetched READMEs, MCP tool payloads β every one is attacker-controlled content the model will read. Cursor 3.0 patches the specific bypasses; the class of vulnerability is older than DuneSlide and isn't going away.
6. Verify what your agent saw. Before letting the agent run anything novel, ask it to quote the source of any non-trivial instruction. If it can't, refuse the action.
Today's vulnerability is CVE-2026-50548 and CVE-2026-50549. Tomorrow's will be CVE-2027-XXXX. The pattern is permanent: a model that reads untrusted text and acts on it through a write-capable tool will be tricked into writing somewhere it shouldn't. Cursor shipped a sandbox; the sandbox had two holes. The next editor will ship a different safety net; that safety net will have different holes. The fix-from-the-vendor cycle β patch, restart, repeat β is the model-tax you keep paying.
The part underneath doesn't churn. A clean checkout workflow where the agent proposes changes and a tool outside the agent's control decides what lands. A build server that pulls from a branch the agent can't write to directly. A secrets store the agent cannot resolve to plaintext, even when it tries. Run these, and which AI editor you wired into them becomes a switching cost measured in hours, not a security migration measured in weekends.
This is the layer that doesn't churn: the interface where the AI proposes and the project decides β shaped once, reused across every editor upgrade, every new model, every next DuneSlide.
The sandbox earned its keep this week. So did the patch. So will the next one β and the one after that. Patch fast. Build the layer that doesn't have to be re-patched every six weeks.