Critical "DuneSlide" Vulnerabilities in Cursor AI Code Editor Allow Zero-Click Remote Code Execution

Zero-Click RCE in Cursor AI IDE Lets Attackers Take Over Developer Machines

CRITICAL
July 4, 2026
6m read
VulnerabilityCyberattackCloud Security

Related Entities

Organizations

Cato Networks Cato AI Labs

Products & Tech

Cursor

CVE Identifiers

CVE-2026-50548
CRITICAL
CVSS:9.8
CVE-2026-50549
CRITICAL
CVSS:9.8

Full Report

Executive Summary

Researchers at Cato Networks have disclosed two critical zero-click remote code execution (RCE) vulnerabilities in the Cursor AI code editor, a tool used by developers at over half of Fortune 500 companies. The flaws, collectively named "DuneSlide" and tracked as CVE-2026-50548 and CVE-2026-50549, both have a CVSS score of 9.8. They enable an attacker to achieve full system compromise via a prompt injection that requires no user interaction. A malicious prompt can cause the AI agent to ingest a malicious payload from an external source and execute commands that break out of the IDE's sandbox. The vulnerabilities were patched in Cursor version 3.0, released in April 2026, but all prior versions remain at high risk.

Vulnerability Details

The core of the issue lies in how Cursor's AI agent handles commands and file paths within its sandboxed environment. An attacker can trigger the exploit simply by getting a developer to issue a seemingly benign prompt that causes the AI to fetch malicious content from an untrusted source (e.g., a web search result).

CVE-2026-50548: working_directory Manipulation

This vulnerability exploits the handling of the working_directory parameter for terminal commands. A malicious prompt injection can instruct the AI agent to set the working directory to a sensitive location outside the intended project scope, such as the directory containing the sandbox helper binary itself. A subsequent command can then overwrite this binary, effectively disabling the sandbox and allowing the attacker to execute arbitrary commands with the user's privileges on the host system.

CVE-2026-50549: Symbolic Link Path Traversal

This is an independent flaw in the IDE's file path resolution logic. An attacker can use a prompt injection to create a symbolic link within the project directory that points to a sensitive file outside of it. When the AI agent attempts to write to a file via this symlink, it bypasses the path traversal protections and overwrites the target file, again leading to sandbox escape and RCE.

Affected Systems

  • Product: Cursor AI Code Editor
  • Vulnerable Versions: All versions prior to 3.0
  • Patched Version: 3.0 and later

The tool's widespread adoption in enterprise environments, including many Fortune 500 companies, makes the potential impact severe, as compromised developer machines can be a gateway to sensitive source code, credentials, and production systems.

Exploitation Status

These vulnerabilities were responsibly disclosed to the Cursor team in February 2026 and patched on April 2, 2026. While there are no public reports of in-the-wild exploitation, the publication of technical details and the zero-click nature of the attack make it highly likely that threat actors will attempt to target unpatched instances.

Impact Assessment

A successful exploit would grant an attacker full control over a developer's workstation. This presents a catastrophic risk to an organization. The attacker could:

  • Steal proprietary source code and intellectual property.
  • Inject malicious code into software builds, initiating a supply chain attack.
  • Harvest credentials, API keys, and access tokens stored on the machine to pivot into cloud environments and other critical systems.
  • Deploy ransomware or other malware. Given that the attack vector is a prompt injection, it highlights a new and dangerous class of vulnerabilities in AI-assisted development tools where the line between data and executable code is blurred.

Cyber Observables — Hunting Hints

The following patterns may help identify vulnerable or compromised systems:

Type
Process Name
Value
cursor-sandbox-helper
Description
Monitor for unexpected modifications or executions of this binary, which is central to the sandbox mechanism.
Type
Command Line Pattern
Value
ln -s /path/to/sensitive/file
Description
Look for symbolic link creation commands originating from the Cursor process that point outside the project directory.
Type
File Path
Value
~/.cursor-server/
Description
Monitor for unusual file writes or permission changes within Cursor's server and configuration directories.
Type
Log Source
Value
IDE logs, Terminal history
Description
Review logs for commands that change directory (cd) to unexpected system paths before execution.

Detection Methods

  • Asset Inventory: Identify all instances of the Cursor IDE in your environment and verify they are running version 3.0 or later. This can be done via software inventory tools or EDR queries.
  • File Integrity Monitoring (FIM): Implement FIM on the cursor-sandbox-helper binary and other critical Cursor application files to detect unauthorized modifications. This is a form of D3FEND's System File Analysis (D3-SFA).
  • Behavioral Monitoring: Use an EDR solution to monitor the Cursor process for suspicious child processes or file system activity outside of the user's workspace directories. This aligns with Process Analysis (D3-PA).

Remediation Steps

  1. Immediate Update: The primary remediation is to update all instances of Cursor to version 3.0 or later immediately. This is the only way to fully patch the vulnerabilities.
  2. Restrict Network Access: As a temporary compensating control, restrict the Cursor IDE's ability to access untrusted external websites if possible, though this may degrade its functionality.
  3. Developer Awareness: Educate developers on the risks of prompt injection in AI tools and the danger of processing data from untrusted sources, even indirectly via AI agents.
  4. Verification: After updating, verify the patch by checking the application version. Consider a credential rotation for developers who were using vulnerable versions, as a precautionary measure.

Timeline of Events

1
February 1, 2026
Cato Networks reports the DuneSlide vulnerabilities to the Cursor team.
2
April 2, 2026
Cursor releases version 3.0, patching the vulnerabilities.
3
June 1, 2026
CVE-2026-50548 and CVE-2026-50549 are officially assigned.
4
July 1, 2026
Cato Networks publicly discloses the technical details of the DuneSlide vulnerabilities.
5
July 4, 2026
This article was published

MITRE ATT&CK Mitigations

Updating Cursor to version 3.0 or later is the most critical mitigation step to fix the root vulnerabilities.

While the built-in sandbox was flawed, this incident highlights the importance of robust sandboxing. Future defenses could involve nested virtualization or stricter kernel-level controls.

Educating developers on the dangers of prompt injection and interacting with untrusted content via AI tools can help prevent initial exploitation.

Timeline of Events

1
February 1, 2026

Cato Networks reports the DuneSlide vulnerabilities to the Cursor team.

2
April 2, 2026

Cursor releases version 3.0, patching the vulnerabilities.

3
June 1, 2026

CVE-2026-50548 and CVE-2026-50549 are officially assigned.

4
July 1, 2026

Cato Networks publicly discloses the technical details of the DuneSlide vulnerabilities.

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

VulnerabilityRCEZero-ClickCursorAIIDEPrompt InjectionSandbox EscapeCVE-2026-50548CVE-2026-50549

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.