Two CVEs, one quiet class of bug

Cursor is one of the most-used AI-assisted IDEs in 2026, and for good reason — it lets a developer hand off real work to an agent that reads, edits, runs, and verifies code in a single loop. That capability is now on the security reviewer's desk. Researchers from Cato Networks disclosed two vulnerabilities in Cursor IDE that break out of its command execution sandbox via prompt injection and end in remote code execution. Tracked as CVE-2026-50548 and CVE-2026-50549, the flaws do not require prior user privileges or specific user interaction.

That last clause is the load-bearing one. Most sandbox escapes need a click, a confirmation, a misconfigured permission. These don't. A developer typing what looks like a normal prompt is enough.

What the sandbox was supposed to do

Cursor's command execution sandbox is the protective layer between the AI agent and the underlying operating system. In normal operation the agent can read and edit files in the workspace, run build and test commands, and talk to MCP servers — but the sandbox is supposed to stop it from doing arbitrary things on the host: writing to ~/.ssh, reading cloud credentials, curling out to attacker-controlled endpoints.