Researchers at Cato Networks have disclosed two critical zero-click remote code execution (RCE) vulnerabilities in the Cursor AI code editor, a tool used by developers at over half of Fortune 500 companies. The flaws, collectively named "DuneSlide" and tracked as CVE-2026-50548 and CVE-2026-50549, both have a CVSS score of 9.8. They enable an attacker to achieve full system compromise via a prompt injection that requires no user interaction. A malicious prompt can cause the AI agent to ingest a malicious payload from an external source and execute commands that break out of the IDE's sandbox. The vulnerabilities were patched in Cursor version 3.0, released in April 2026, but all prior versions remain at high risk.
The core of the issue lies in how Cursor's AI agent handles commands and file paths within its sandboxed environment. An attacker can trigger the exploit simply by getting a developer to issue a seemingly benign prompt that causes the AI to fetch malicious content from an untrusted source (e.g., a web search result).
working_directory ManipulationThis vulnerability exploits the handling of the working_directory parameter for terminal commands. A malicious prompt injection can instruct the AI agent to set the working directory to a sensitive location outside the intended project scope, such as the directory containing the sandbox helper binary itself. A subsequent command can then overwrite this binary, effectively disabling the sandbox and allowing the attacker to execute arbitrary commands with the user's privileges on the host system.
This is an independent flaw in the IDE's file path resolution logic. An attacker can use a prompt injection to create a symbolic link within the project directory that points to a sensitive file outside of it. When the AI agent attempts to write to a file via this symlink, it bypasses the path traversal protections and overwrites the target file, again leading to sandbox escape and RCE.
The tool's widespread adoption in enterprise environments, including many Fortune 500 companies, makes the potential impact severe, as compromised developer machines can be a gateway to sensitive source code, credentials, and production systems.
These vulnerabilities were responsibly disclosed to the Cursor team in February 2026 and patched on April 2, 2026. While there are no public reports of in-the-wild exploitation, the publication of technical details and the zero-click nature of the attack make it highly likely that threat actors will attempt to target unpatched instances.
A successful exploit would grant an attacker full control over a developer's workstation. This presents a catastrophic risk to an organization. The attacker could:
The following patterns may help identify vulnerable or compromised systems:
cursor-sandbox-helperln -s /path/to/sensitive/file~/.cursor-server/IDE logs, Terminal historycd) to unexpected system paths before execution.cursor-sandbox-helper binary and other critical Cursor application files to detect unauthorized modifications. This is a form of D3FEND's System File Analysis (D3-SFA).Updating Cursor to version 3.0 or later is the most critical mitigation step to fix the root vulnerabilities.
While the built-in sandbox was flawed, this incident highlights the importance of robust sandboxing. Future defenses could involve nested virtualization or stricter kernel-level controls.
Educating developers on the dangers of prompt injection and interacting with untrusted content via AI tools can help prevent initial exploitation.
Cato Networks reports the DuneSlide vulnerabilities to the Cursor team.
Cursor releases version 3.0, patching the vulnerabilities.
CVE-2026-50548 and CVE-2026-50549 are officially assigned.
Cato Networks publicly discloses the technical details of the DuneSlide vulnerabilities.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.