Cursor DuneSlide RCE Vulnerabilities Explained (July 2026)
Cursor DuneSlide RCE Vulnerabilities Explained (July 2026)
Cato Networks disclosed two critical vulnerabilities in the Cursor AI code editor in July 2026 — CVE-2026-50548 and CVE-2026-50549 — collectively named DuneSlide. They enable zero-click remote code execution via prompt injection. Cursor already patched them in version 3.0 (April 2, 2026), and CVE IDs were assigned June 5, 2026 — but every Cursor version before 3.0 is still vulnerable.
Last verified: July 4, 2026
The two CVEs
| CVE | Severity | Impact | Attack vector |
|---|---|---|---|
| CVE-2026-50548 | Critical | Zero-click RCE on host OS | Prompt injection in agent-consumed content |
| CVE-2026-50549 | Critical | Sandbox escape → host OS | Prompt injection chained with sandbox weakness |
Both are pre-Cursor-3.0 issues. Cursor 3.0 (April 2, 2026) shipped the fix before the CVEs were public.
How DuneSlide works
The attack chain uses prompt injection — a class of attack where malicious instructions are hidden inside content the AI agent reads, and the agent follows them.
Attack surface:
- A poisoned repo you clone — instructions hidden in
README.md, source files,.cursor/rules, or an MCP config - A malicious web page Cursor fetches via its browsing tool
- An MCP tool response from a compromised or attacker-controlled server
- A pull request the agent reviews — comments and code diffs are agent-readable
Exploit chain:
- User has a Cursor agent running (Composer, Chat, or Background Agent)
- Agent reads a file/page/tool response containing injected instructions
- Injected instructions tell agent to run tools or write files that trigger the sandbox escape
- Sandbox escape gains OS-level shell — attacker owns the developer’s machine
No user click required. The user only has to have the agent active with any of the above workflows.
What “zero-click” means for a code editor
Traditional IDE RCE requires the user to open a specific malicious file, click a link, or install an extension. Cursor’s agent runs continuously and reads content proactively — so opening a repo or asking for a code review is enough to trigger.
For enterprise dev teams this is a huge blast radius:
- Every clone of a public repo is a potential trigger
- Every MCP tool integration is a potential trigger
- Every AI-assisted PR review is a potential trigger
Am I patched?
If you are on Cursor 3.0 or later — yes.
Check your Cursor version:
- macOS: Cursor → About Cursor
- Windows/Linux: Help → About
If you see anything 2.x or below, upgrade to the latest Cursor immediately. Current stable release as of July 4, 2026 is well past Cursor 3.0.
Broader takeaways
1. Prompt injection isn’t a bug — it’s the model. LLM agents can’t reliably distinguish “system instruction from the user” from “data content.” Every AI code editor with autonomous tool use has the same shape of attack surface.
2. Sandboxing matters more than model safety. Cursor’s fix is a stronger sandbox, not a model-side filter. Anthropic Claude, OpenAI GPT-5.6, and xAI Grok all get prompt-injected regularly — the defense has to be at the process/OS boundary.
3. Dev containers should be the default. Enterprises should run Cursor and other AI IDEs inside a devcontainer, Codespaces, or Docker sandbox — not on the developer’s host OS. That way, even a successful RCE is contained to a disposable env.
4. MCP tool audit. Every MCP server the agent can call is an attack path. Enterprises should whitelist MCP servers, review permissions, and prefer read-only tools where possible.
Similar recent incidents
- Devin Desktop (formerly Windsurf) — prompt injection via poisoned repo files disclosed May 2026
- Claude Code MCP server compromise — third-party MCP servers used to run commands, disclosed March 2026
- Aider Web Fetch — malicious HTML injection into agent context, disclosed February 2026
The pattern is unmistakable — every autonomous AI coding tool has been hit with a prompt-injection RCE class of bug in the last 12 months.
What to do now
Individuals:
- Update to Cursor 3.0+ (should be automatic, but confirm)
- Be cautious cloning unknown repos with Cursor agents active
- Turn off Background Agent when doing exploratory browsing/cloning
Enterprises:
- Enforce minimum Cursor version via MDM/endpoint
- Move Cursor into devcontainers or Codespaces
- Audit and whitelist MCP servers
- Add prompt-injection-content scanning to code review pipelines
- Watch for CVEs on all AI IDEs — Cursor is not uniquely vulnerable
What to watch
- Cato Networks full technical writeup — expected follow-up disclosure with the full chain
- Cursor 3.x security patches — likely follow-on fixes as researchers probe deeper
- CVEs on Devin Desktop, Zed AI, and others — same class of issue
- Enterprise MDM policies requiring dev-container isolation
Bottom line
DuneSlide is a serious pair of vulnerabilities, but Cursor patched them in April 2026 before public disclosure. If you upgraded to Cursor 3.0 or later, you’re safe. The bigger lesson is that autonomous AI code editors are a new class of attack surface — the industry needs stronger sandboxing standards, and enterprises should run these tools inside disposable containers by default.
Related: Cursor 3 vs Devin Desktop vs Claude Code · What is Devin Desktop (Windsurf rebrand) explained · MCP security best practices 2026