Skip to content
AI Security Wire

Published

- 3 min read

By

Cursor DuneSlide: Two Critical CVEs Enable Zero-Click RCE via Prompt Injection

img of Cursor DuneSlide: Two Critical CVEs Enable Zero-Click RCE via Prompt Injection

Cato Networks disclosed two critical vulnerabilities in Cursor IDE on July 3, 2026, collectively tracked as DuneSlide. CVE-2026-50548 and CVE-2026-50549 both carry a CVSS score of 9.8 and allow prompt injection attacks to escape the IDE’s sandbox entirely, reaching OS-level code execution on the developer’s machine with no user click required. Every Cursor version before 3.0 is affected. Cursor shipped the patch on April 2, 2026, following a February 2026 disclosure.

The Two Vulnerabilities

CVE-2026-50548 — working directory trust flaw. Cursor’s sandbox evaluates which paths are permitted by checking whether they fall within the project’s working directory. The flaw is in how a non-default working_directory parameter is processed: when an injected prompt instructs the LLM to set the working directory to an attacker-controlled path outside the project, that path gets added to the sandbox’s allow list. From there, an attacker can overwrite the cursorsandbox binary itself. Once the binary is replaced, all subsequent commands that Cursor runs pass through attacker-controlled logic with no sandboxing restrictions applied.

CVE-2026-50549 — symlink path canonicalization flaw. Before writing to a file path, Cursor attempts to resolve symbolic links to verify the resolved destination sits inside the project directory. The edge case lies in write-only symlinks: when the resolution check fails for a write-only symlink, Cursor falls back to trusting the apparent path of the symlink rather than refusing. An attacker who can place a symlink in a location Cursor will act on can redirect writes to arbitrary locations outside the project tree, including system paths.

Both vulnerabilities share the same exploitation trigger: the victim prompts the IDE to ingest attacker-controlled content. This could be a malicious file in a repository, a poisoned dependency, or any other path through which an adversary can influence what the LLM acts on.

Developer Supply Chain Risk

The practical attack surface for DuneSlide is significant. A developer who clones a malicious repository and asks Cursor to summarise, refactor, or explain its contents could trigger exploitation before any code is executed on their machine. AI-assisted code review, which has become a routine workflow, creates a direct path to prompt injection at scale.

The downstream impact extends beyond the local machine. Cursor environments commonly have access to tokens for cloud providers, package registries, version control systems, and SaaS platforms. Compromising the developer’s machine through the IDE gives an attacker access to those credentials and any connected systems they authenticate against.

Cato Networks notes that Cursor is used by over half of the Fortune 500. The combination of broad enterprise adoption and a zero-click prompt injection path to OS-level execution is the reason these vulnerabilities warrant immediate attention from security teams managing developer endpoint posture.

Patching and Mitigation

Cursor 3.0, released April 2, 2026, contains fixes for both CVE-2026-50548 and CVE-2026-50549. Cato Networks verified no evidence of active exploitation prior to disclosure. The three-month gap between patch and public disclosure is consistent with coordinated responsible disclosure practice.

Teams running earlier Cursor versions should upgrade to 3.0 immediately. Where upgrades cannot be applied immediately, restrict the use of Cursor’s agentic features on untrusted repositories and treat any third-party content ingested by the IDE as a potential prompt injection surface until patching is confirmed.

Distinguish these CVEs from CVE-2026-22708 (patched in Cursor 2.3, a different shell environment poisoning flaw): both fixes are required for fully patched environments. Cursor 3.0 addresses all three.

References

Frequently Asked Questions

What are CVE-2026-50548 and CVE-2026-50549, and which Cursor versions are affected?
CVE-2026-50548 and CVE-2026-50549 are two critical (CVSS 9.8) vulnerabilities in Cursor IDE, collectively named DuneSlide. CVE-2026-50548 exploits a working directory trust flaw; CVE-2026-50549 exploits a symlink path canonicalization edge case. All Cursor versions before 3.0 are affected. The patch shipped in Cursor 3.0 on April 2, 2026.
Can DuneSlide be exploited without any user interaction?
Yes. Both vulnerabilities enable zero-click prompt injection attacks. Exploitation is triggered when a victim prompts the IDE to process attacker-controlled content — such as opening a malicious repository or ingesting a poisoned file. No explicit approval step is required from the user.
What can an attacker do after exploiting DuneSlide?
Successful exploitation allows an attacker to overwrite the cursorsandbox binary, transforming all future sandboxed commands into unsandboxed execution. This can lead to full OS-level compromise of the developer's machine and access to connected SaaS workspaces and credentials.
How is DuneSlide different from CVE-2026-22708?
CVE-2026-22708 (patched in Cursor 2.3) exploited shell environment variable poisoning through implicitly trusted shell built-ins like export and declare. DuneSlide (CVE-2026-50548 and CVE-2026-50549) operates through different mechanisms: working directory parameter trust and symlink path canonicalization logic. They are distinct vulnerability classes with distinct patches.