DuneSlide: Two Critical RCE Flaws in Cursor IDE
Cato AI Labs disclosed DuneSlide — two critical RCE flaws (CVSS 9.8, CVE-2026-50548/50549) in Cursor IDE. Zero-click prompt injection writes arbitrary files, escapes the sandbox and takes over the dev machine. Fixed in Cursor 3.0; all earlier versions affected.
On July 1, 2026, the Cato AI Labs research team disclosed DuneSlide — two critical remote code execution (RCE) vulnerabilities in Cursor IDE, the AI-powered coding environment that, according to Cursor, is used by over half of the Fortune 500. Both scored 9.8 on CVSS and were assigned CVE-2026-50548 and CVE-2026-50549.
The most alarming part is the zero-click prompt-injection attack path. A victim only has to type an innocuous prompt to the agent, but if a malicious payload slips in from an untrusted source — an MCP server or a poisoned web search result — an attacker can write arbitrary files to the machine, break out of the sandbox and fully compromise the host, including connected SaaS workspaces.
Key points
- Flaw #1 —
working_directorymanipulation: Cursor 2.x auto-runs terminal commands inside a sandbox. But theworking_directoryparameter of therun_terminal_cmdtool, if steered by prompt injection to a path outside the project, is blindly added to the sandbox's allowed-write list. Overwriting thecursorsandboxbinary makes later commands run unsandboxed. - Flaw #2 — symlink canonicalization failure: When Cursor cannot canonicalize a path (file missing or unreadable directory), it falls back to the original in-project symlink path instead of refusing — allowing a write-only symlink pointing outside to overwrite that same sandbox binary.
- Impact: overwriting system files turns sandboxed commands into unsandboxed RCE and full takeover of the dev machine.
- Fix: both bugs are patched in Cursor 3.0 (released April 2); every version before 3.0 is affected. Cato reported them on Feb 19, they were initially rejected on Feb 23 then reopened; CVEs were assigned June 5.
DuneSlide shows prompt injection reaching beyond the LLM layer to revive classical vulnerabilities in code paths not traditionally seen as attack surface. Cato says it is continuing to review other popular coding agents.
FAQ
Am I affected? If you run Cursor before 3.0 with auto-run sandboxed commands, yes. Upgrade to Cursor 3.0 or later.
Is just opening a project risky? The risk comes from untrusted content the agent ingests (MCP servers, web results). Limiting unknown MCP/sources and patching are the main mitigations.
Is this only a Cursor bug? Cato argues it is a broader architectural problem for any agent with autonomous command execution, not Cursor alone.
