Security & Riskcursorai developer toolscybersecurityprompt injection

Researchers Disclose Zero-Click RCE Flaws In Cursor IDE

||By LDS Team
6.5
Relevance Score
Researchers Disclose Zero-Click RCE Flaws In Cursor IDE

Cato AI Labs disclosed DuneSlide, two critical zero-click remote-code-execution flaws (CVE-2026-50548 and CVE-2026-50549, both rated 9.8 under CVSS 3.1) in the Cursor AI code editor, used by more than half the Fortune 500, on July 1, 2026. A single prompt-injected instruction hidden in content the AI agent merely reads, such as an MCP connector response or a web search result, could escape Cursor's terminal sandbox and run arbitrary commands on a developer's machine with no click or approval needed. Cato reported the flaws privately on February 19; Cursor initially rejected them, then reopened and fixed both in the Cursor 3.0 release on April 2, with CVE IDs assigned June 5. Every Cursor version before 3.0 remains vulnerable. Cato says it is disclosing similar sandbox-escape flaws in other popular coding agents, arguing the weakness is structural rather than specific to Cursor.

DuneSlide is a reminder that agentic coding tools break an assumption sandboxing was built on: that only a human, not the AI agent's own autonomous reads, decides what gets executed. Because Cursor's sandbox trusted parameters the agent itself could set, a prompt hidden in an MCP response or a search result was enough to reach full, unsandboxed code execution with zero clicks required. Cato says it is now disclosing similar flaws in other popular coding agents, arguing this is a structural weakness in how the category builds trust boundaries, not a one-off Cursor bug.

What happened

Cato AI Labs disclosed two critical remote-code-execution vulnerabilities in the Cursor AI code editor, together dubbed DuneSlide and tracked as CVE-2026-50548 and CVE-2026-50549, both rated 9.8 out of 10 under CVSS 3.1 (9.3 under CVSS 4.0), according to Cato's own writeup, The Hacker News and CybersecurityNews. Cursor says its editor is used by more than half of the Fortune 500.

Technical context

Cursor 2.x introduced automatic terminal-command execution inside a sandbox, so the AI agent's shell commands run without a user-approval prompt but stay contained. Both DuneSlide bugs defeat that containment through zero-click prompt injection: an attacker never interacts with the victim directly, instead planting instructions inside content the agent reads on the user's behalf, such as an MCP server response or a web search result. CVE-2026-50548 abuses the working_directory parameter on Cursor's run_terminal_cmd tool; when the agent sets that parameter to a non-default path, Cursor adds it to the sandbox's allowed-write list without further checks, letting injected instructions redirect a write to the sandbox's own helper binary (or files like ~/.zshrc) and disable sandboxing for later commands. CVE-2026-50549 abuses a fallback in Cursor's symlink-canonicalization check: when that check cannot resolve whether a write target sits inside the project, because the target does not exist or read access has been stripped, Cursor defaults to trusting the symlink's in-project path rather than blocking the write, letting an attacker-created symlink reach the same sandbox helper. Cato found no evidence of real-world exploitation before disclosure.

Timeline

  1. Cato AI Labs privately reported both vulnerabilities to Cursor.

  2. Cursor rejected the reports, saying its threat model did not cover misuse of MCP servers, even standard ones like the official Linear integration.

  3. Cato escalated directly to Cursor's security team, which reopened and began triaging both issues.

  4. Cursor shipped a fix for the working-directory flaw (CVE-2026-50548) in the Cursor 3.0 release.

  5. Cursor confirmed the symlink flaw (CVE-2026-50549) was also fixed in the 3.0 release.

  6. CVE IDs were assigned to both vulnerabilities.

For practitioners

Any Cursor installation predating version 3.0 remains exposed; teams should confirm they are on 3.0 or later. This is the third documented case of a poisoned prompt reaching code execution in Cursor alone, following CurXecute and MCPoison in 2025, plus a similar Gemini CLI flaw earlier in 2026, so organizations building on agentic coding tools should audit their own working-directory and symlink-handling logic rather than assume sandboxing holds against autonomous content ingestion. Any feature that lets an agent fetch external content, MCP servers, web search, connected repos, is a potential injection vector.

What to watch

Cato says it is in the process of responsibly disclosing similar sandbox-escape flaws in other popular coding agents, which would confirm this is a category-wide architectural gap rather than a Cursor-specific defect; whether other vendors adopt the fix pattern Cursor used, treating agent-controllable parameters as untrusted input, will determine how quickly this recurs elsewhere.

Key Points

  • 1Cato AI Labs disclosed DuneSlide, two 9.8-severity zero-click RCE flaws in Cursor's sandbox, already patched in Cursor 3.0.
  • 2A prompt hidden in MCP server content or search results could hijack Cursor's agent to escape its sandbox without any user click.
  • 3As the third such Cursor bug in a year, DuneSlide shows agentic coding tools need sandboxes built for autonomous content ingestion.

Scoring Rationale

A CVSS 9.8 zero-click sandbox-escape chain in a coding tool used by most of the Fortune 500 is a serious, well-documented case, but it was responsibly disclosed, patched months before public disclosure, shows no evidence of exploitation, and is the third such bug in a recurring pattern rather than a novel category of risk, keeping it in the notable tier.

Sources

Public references used for this report.

4 sources

Practice interview problems based on real data

1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.

Try 250 free problems