NewsSecurityDeveloper Tools

DuneSlide: Critical Cursor IDE Flaws Allow Zero-Click RCE

Cursor IDE vulnerability DuneSlide - critical RCE flaw via prompt injection showing broken padlock on code editor
DuneSlide: Two critical flaws in Cursor IDE enable zero-click remote code execution via prompt injection

Your AI coding assistant just became an attack vector. Two critical vulnerabilities in Cursor IDE — disclosed July 1 by Cato AI Labs and collectively dubbed DuneSlide — allow an attacker to execute arbitrary operating system commands on a developer’s machine with no user interaction required. The flaws score 9.8 on CVSS 3.1, the highest tier of severity. The fix is Cursor 3.0, which shipped April 2. If you have not updated, stop reading and do that first.

How You Get Hit Without Clicking Anything

DuneSlide is not a traditional remote code execution story where a malicious website or file triggers an exploit. The attack comes through prompt injection — instructions planted inside content your Cursor agent reads on your behalf. The two primary delivery mechanisms are MCP (Model Context Protocol) server responses and poisoned web search results that the agent ingests during a task. You issue a normal, innocuous prompt. The agent reads attacker-controlled content as part of executing it. The injected instructions take over from there.

No special access. No phishing link. No malicious attachment. Just the normal workflow of an AI-assisted developer, pointed at content someone tampered with upstream.

The Two Bugs: What Each One Actually Does

CVE-2026-50548: The Working Directory Loophole

Cursor’s run_terminal_cmd tool accepts an optional working_directory parameter. When this parameter is set, the sandbox adds that path to its allowed-write list — without validating that it actually sits inside the project. Injected instructions can steer the agent to set working_directory to a system location instead: for example, the cursorsandbox binary itself at /Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox, or shell config files like ~/.zshrc. The agent then overwrites the sandbox enforcer with attacker-controlled content. After that, the sandbox is gone. Every subsequent command runs unsandboxed, as the current user.

CVE-2026-50549: The Symlink Safety Net That Catches Nothing

Before writing files, Cursor resolves symlinks to verify the real destination sits inside the project root. The bug is in the failure behavior: when the check cannot complete — because the target does not exist, or read permissions on a directory in the path have been restricted — Cursor gives up and trusts the symlink’s apparent in-project path instead of rejecting the write. An attacker creates a symlink inside the project pointing to a sensitive external file, then engineers the check to fail. Cursor bypasses its own guard and writes straight through to the external destination.

What Happens After the Sandbox Falls

Once either vulnerability is exploited, the next command runs as the developer. Not in a sandbox. Not with reduced privileges. As them, with their credentials, their tokens, their signed-in cloud workspaces. That means AWS keys, GitHub tokens, any SaaS product the editor is authenticated against. The blast radius is not the IDE — it is everything that IDE is connected to.

Cato AI Labs reports no evidence of in-the-wild exploitation as of the July 1 disclosure. That is good news, but it should not slow the update decision. Zero-click critical vulnerabilities do not stay unexploited for long once they are public.

The Fix: Update to Cursor 3.0 Now

Update to Cursor 3.0. Cato reported the vulnerabilities to Cursor in February 2026, and the patch shipped April 2 in Cursor 3.0. The 60-day responsible disclosure window was handled correctly. If your editor auto-updates, you may already be protected — check by opening Cursor > About Cursor and confirming the version is 3.0 or later. If you are behind, use the Command Palette’s Check for Updates option or download directly from the Cursor changelog page.

The Bigger Problem DuneSlide Points At

Most developers still think of prompt injection as “getting the AI to say something it shouldn’t.” DuneSlide is the first CVE-scored proof that prompt injection can own your machine. The attack chain — malicious content plants instructions, agent executes them, sandbox falls — will generalize to every AI tool that lets agents take real-world actions based on external input. That is most of them.

MCP makes this worse, not because MCP is inherently broken, but because it dramatically expands what “external input” can mean. A single MCP server returning a crafted response is all an attacker needs. Cato’s full technical disclosure details how both bugs chain through MCP in practice. OWASP puts 73% of live AI rollouts as open to prompt injection. DuneSlide is what that number looks like when someone actually exploits it.

AI IDE sandboxes were designed to prevent accidents. They were not designed to stop adversaries. That threat model needs updating — and so does every developer’s assumption that the AI assistant is only helping them, rather than potentially being steered by someone else entirely. Read the full security advisory coverage and the enterprise risk assessment for additional context on the broader implications.

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:News