Critical Cursor Flaws Could Allow Zero-Click Code Execution
Two newly discovered vulnerabilities in Cursor, a popular AI code editor, could enable attackers to execute arbitrary commands on a developer's machine without requiring any user interaction. The flaws, identified by Cato AI Labs and named DuneSlide, have been assigned the identifiers CVE-2026-50548 and CVE-2026-50549. Both vulnerabilities are rated 9.8 out of 10 on the CVSS scale, indicating their severe impact.
The Vulnerabilities Explained
Cursor, widely adopted by over half of the Fortune 500 companies, introduced a sandbox feature in its 2.x series to restrict the execution of terminal commands issued by its AI agent. However, the DuneSlide vulnerabilities allow attackers to escape this sandbox through a technique known as prompt injection. This method involves embedding malicious instructions within seemingly harmless prompts or data sources, such as connected services or web search results.
-
CVE-2026-50548: This flaw exploits a misconfiguration in the sandbox's allowed-write permissions. By manipulating the
working_directoryparameter in Cursor'srun_terminal_cmdtool, an attacker can overwrite critical system files, such as the sandbox helper or startup files like~/.zshrc. Once overwritten, the sandbox is disabled, allowing unrestricted command execution. -
CVE-2026-50549: This bug abuses a flaw in Cursor's symlink resolution process. When the sandbox fails to resolve a shortcut's destination, it trusts the shortcut's in-project path instead. Attackers can create shortcuts that point outside the project, forcing the sandbox to write to critical files and disable itself.
Zero-Click Attack Mechanism
The attack requires no user interaction, making it a zero-click exploit. An attacker can embed malicious instructions in data sources read by Cursor's AI agent, such as responses from connected services or web search results. When the agent processes these inputs, the embedded instructions execute without the user's knowledge or consent.
Impact and Mitigation
Once the sandbox is neutralized, attackers gain full control of the developer's machine and any connected cloud or SaaS workspaces. This poses significant risks to sensitive codebases, intellectual property, and organizational security.
Cursor has patched both vulnerabilities in version 3.0, released on April 2. All users are strongly advised to update to this version immediately, as all prior versions are affected.
Research and Disclosure
Cato AI Labs reported the vulnerabilities to Cursor on February 19. Initially, Cursor rejected the findings, stating that its threat model did not cover misuse of certain connected services. However, after escalation, Cursor reopened the reports and released patches in version 3.0. The CVE IDs were assigned on June 5.
A History of Cursor Vulnerabilities
DuneSlide is the latest in a series of vulnerabilities affecting Cursor, all of which involve prompt injection leading to code execution. Previous flaws, such as CurXecute and MCPoison, exploited different mechanisms but shared similar outcomes. These repeated issues raise concerns about the structural security of AI-driven developer tools.
Cato AI Labs has also hinted at similar vulnerabilities in other coding agents, suggesting that the problem may be systemic rather than isolated to Cursor.
Conclusion
The discovery of DuneSlide underscores the ongoing challenges of securing AI-powered tools in the developer ecosystem. As these tools become increasingly integrated into workflows, developers and organizations must remain vigilant and prioritize security to protect against emerging threats.