Cursor DuneSlide: Zero-Click RCE Vulnerabilities Explained (CVE-2026-50548/50549)
Cursor DuneSlide: Zero-Click RCE Vulnerabilities Explained (CVE-2026-50548/50549)
On July 1, 2026, researchers from Cato AI Labs publicly disclosed two critical remote code execution vulnerabilities in Cursor IDE — collectively named “DuneSlide.” Both carry a CVSS score of 9.8 (critical) and can be exploited through zero-click prompt injection, meaning an attacker can compromise a developer’s machine without them clicking or approving anything.
These are among the most serious security vulnerabilities ever discovered in an AI coding tool, and they highlight a fundamental risk of agentic AI: when an AI agent has the ability to read files, execute commands, and make changes autonomously, a prompt injection can turn that power against the user.
The Vulnerabilities at a Glance
| CVE-2026-50548 | CVE-2026-50549 | |
|---|---|---|
| Type | Working directory manipulation | Symlink path traversal |
| CVSS | 9.8 (Critical) | 9.8 (Critical) |
| Attack vector | Zero-click prompt injection | Zero-click prompt injection |
| Impact | Overwrite cursorsandbox binary | Write arbitrary files via symlinks |
| Result | Sandbox escape → full system compromise | Sandbox escape → full system compromise |
| Discovered by | Cato AI Labs | Cato AI Labs |
| Patched in | Cursor 3.0 (April 2, 2026) | Cursor 3.0 (April 2, 2026) |
How the Attack Works
Step-by-step (simplified)
- Attacker embeds malicious content in a file, URL, or MCP (Model Context Protocol) server response
- Developer opens a project or Cursor’s AI processes the content — no click or approval needed
- Prompt injection triggers — the malicious content instructs Cursor’s AI to perform actions
- CVE-2026-50548 or CVE-2026-50549 is exploited — the AI’s actions bypass Cursor’s sandbox
- Attacker gains full system access — arbitrary command execution, data exfiltration, persistence
The “zero-click” aspect is what makes this particularly dangerous. In agentic mode, Cursor can process untrusted content from:
- Files in a cloned repository
- Responses from MCP servers
- Web search results
- Terminal output from malicious processes
Any of these can serve as the injection vector.
Why This Matters Beyond Cursor
The DuneSlide vulnerabilities are significant not just because they affect Cursor — they expose a class of security risks inherent to AI coding agents that:
- Have read/write/execute access to the filesystem
- Process untrusted content from repositories, websites, and APIs
- Operate autonomously without human confirmation for every action
- Run inside a sandbox that may have escape vulnerabilities
Every AI coding tool with agentic capabilities — Cursor, Claude Code, Copilot Agent, Junie, ZCode — faces similar architectural risks. The difference is in how well they mitigate them.
What Cursor Fixed in Version 3.0
Cursor addressed the DuneSlide vulnerabilities in version 3.0 (released April 2, 2026):
- Improved file path sanitization — preventing directory traversal and symlink abuse
- Stricter working directory controls — preventing critical system file overwrites
- Stronger sandbox isolation — additional layers between the AI agent and the host OS
- Prompt injection detection — heuristic monitoring for known injection patterns
Mitigation Recommendations
For individual developers:
- Update now — verify you’re on Cursor 3.0 or later (Settings → About)
- Be selective about which MCP servers you connect Cursor to
- Review auto-mode settings — consider requiring approval for file writes and command execution
- Monitor Cursor logs for unexpected behavior
For enterprise teams:
- Audit your Cursor deployment version — ensure all seats are on 3.0+
- Review MCP server whitelist — only approve trusted servers
- Update security policies to account for AI agent risks
- Consider sandboxed development environments (containers, VDI) as an additional layer
Broader Implications
The DuneSlide disclosure comes at a time when 55% of developers use AI agents for coding — a number expected to exceed 70% by end of 2026. The vulnerabilities raise important questions:
- Should AI coding agents have filesystem access by default?
- How should untrusted content from AI processing be isolated from the OS?
- Are current sandbox implementations robust enough for agentic AI?
The 9.8 CVSS score confirms that the security industry takes these risks seriously. Expect more scrutiny of AI coding tool security as agent adoption grows.
Published July 5, 2026. Source: Cato AI Labs disclosure (July 1), The Hacker News, SecurityWeek, SecureBulletin, News4Hackers. CVE identifiers assigned June 5, 2026. Cursor 3.0 patch date: April 2, 2026. This article is for informational purposes; consult your security team for specific vulnerability management guidance.