Cursor patches DuneSlide flaws that enable zero-click RCE
TL;DR
- Cato AI Labs disclosed two Cursor IDE flaws, CVE-2026-50548 and CVE-2026-50549, scoring 9.8 and 9.3 CVSS, both patched in Cursor 3.0 on April 2.
- The attack path is prompt injection through content the agent reads on the user's behalf, such as an MCP-connected service or a web search result.
- Cursor's maker says more than half the Fortune 500 uses the tool, and every version before 3.0 is affected.
Cursor, the AI code editor that its maker says more than half the Fortune 500 has adopted, spent this spring quietly patching two critical flaws that let a single planted instruction take over a developer's machine. The Hacker News reported that researchers at Cato AI Labs named the pair DuneSlide, filed under CVE-2026-50548 (CVSS 9.8) and CVE-2026-50549 (CVSS 9.3). Both are patched in Cursor 3.0, released April 2, with CVE IDs assigned June 5. Every version before 3.0 is affected.
The interesting part is not the sandbox mechanics, it is how the agent gets compromised in the first place. There is no phishing lure, no dodgy download. The attacker never touches the developer's Cursor at all. They plant instructions inside something the agent reads on the user's behalf, either a connected service reached over the Model Context Protocol, or a page returned by a web search the agent runs. The first bug abuses the optional working_directory parameter on Cursor's run_terminal_cmd tool to write outside the project folder. The second exploits Cursor's symlink resolution fallback, which trusts the shortcut's path when the safety check fails. Once the sandbox is neutralized, the next command runs as the user, plus any cloud or SaaS workspaces the editor is signed into.
The disclosure story is worth reading closely too. Cato reported both issues on February 19. Cursor rejected them four days later, saying its threat model did not cover misuse of MCP servers, even standard ones like the official Linear workspace. Cato escalated on February 26; Cursor reopened the reports, triaged them, and shipped both fixes in 3.0. The honest caveat is that the reporting does not describe any known exploitation in the wild, and the article does not lay out the exploit chain in step-by-step form.
For anyone shipping AI coding agents, the takeaway is that the security perimeter is now every string the agent reads, not just what the user types. The upside is that this is an auditable pattern: check every tool-call parameter the LLM can influence, and assume any external content the agent ingests is attacker-controlled. If you run Cursor, the practical guidance is short. Get to 3.0.
Originally reported by thehackernews.com
Read the original article →Original headline: 'DuneSlide' Cursor IDE CVEs Disclosed — Two Zero-Click Prompt Injection Flaws (CVE-2026-50548/50549, CVSS 9.8) Let Attackers Escape Sandbox and RCE Developer Machines