{"slug": "duneslide-critical-cursor-ide-flaws-allow-zero-click-rce", "title": "DuneSlide: Critical Cursor IDE Flaws Allow Zero-Click RCE", "summary": "Two critical vulnerabilities in Cursor IDE, collectively named DuneSlide and disclosed July 1 by Cato AI Labs, allow zero-click remote code execution via prompt injection, scoring 9.8 on CVSS 3.1. The flaws, CVE-2026-50548 and CVE-2026-50549, enable attackers to bypass the sandbox and execute arbitrary commands as the developer, compromising credentials and cloud workspaces. The fix is Cursor 3.0, shipped April 2, with no evidence of in-the-wild exploitation as of disclosure.", "body_md": "Your AI coding assistant just became an attack vector. Two critical vulnerabilities in Cursor IDE — disclosed July 1 by Cato AI Labs and collectively dubbed DuneSlide — allow an attacker to execute arbitrary operating system commands on a developer’s machine with no user interaction required. The flaws score 9.8 on CVSS 3.1, the highest tier of severity. The fix is Cursor 3.0, which shipped April 2. If you have not updated, stop reading and do that first.\n\n## How You Get Hit Without Clicking Anything\n\nDuneSlide is not a traditional remote code execution story where a malicious website or file triggers an exploit. The attack comes through prompt injection — instructions planted inside content your Cursor agent reads on your behalf. The two primary delivery mechanisms are MCP (Model Context Protocol) server responses and poisoned web search results that the agent ingests during a task. You issue a normal, innocuous prompt. The agent reads attacker-controlled content as part of executing it. The injected instructions take over from there.\n\nNo special access. No phishing link. No malicious attachment. Just the normal workflow of an AI-assisted developer, pointed at content someone tampered with upstream.\n\n## The Two Bugs: What Each One Actually Does\n\n### CVE-2026-50548: The Working Directory Loophole\n\nCursor’s `run_terminal_cmd`\n\ntool accepts an optional `working_directory`\n\nparameter. When this parameter is set, the sandbox adds that path to its allowed-write list — without validating that it actually sits inside the project. Injected instructions can steer the agent to set `working_directory`\n\nto a system location instead: for example, the `cursorsandbox`\n\nbinary itself at `/Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox`\n\n, or shell config files like `~/.zshrc`\n\n. The agent then overwrites the sandbox enforcer with attacker-controlled content. After that, the sandbox is gone. Every subsequent command runs unsandboxed, as the current user.\n\n### CVE-2026-50549: The Symlink Safety Net That Catches Nothing\n\nBefore writing files, Cursor resolves symlinks to verify the real destination sits inside the project root. The bug is in the failure behavior: when the check cannot complete — because the target does not exist, or read permissions on a directory in the path have been restricted — Cursor gives up and trusts the symlink’s apparent in-project path instead of rejecting the write. An attacker creates a symlink inside the project pointing to a sensitive external file, then engineers the check to fail. Cursor bypasses its own guard and writes straight through to the external destination.\n\n## What Happens After the Sandbox Falls\n\nOnce either vulnerability is exploited, the next command runs as the developer. Not in a sandbox. Not with reduced privileges. As them, with their credentials, their tokens, their signed-in cloud workspaces. That means AWS keys, GitHub tokens, any SaaS product the editor is authenticated against. The blast radius is not the IDE — it is everything that IDE is connected to.\n\nCato AI Labs reports no evidence of in-the-wild exploitation as of the July 1 disclosure. That is good news, but it should not slow the update decision. Zero-click critical vulnerabilities do not stay unexploited for long once they are public.\n\n## The Fix: Update to Cursor 3.0 Now\n\nUpdate to Cursor 3.0. Cato reported the vulnerabilities to Cursor in February 2026, and the patch shipped April 2 in Cursor 3.0. The 60-day responsible disclosure window was handled correctly. If your editor auto-updates, you may already be protected — check by opening **Cursor > About Cursor** and confirming the version is 3.0 or later. If you are behind, use the Command Palette’s **Check for Updates** option or download directly from the [Cursor changelog page](https://cursor.com/changelog).\n\n## The Bigger Problem DuneSlide Points At\n\nMost developers still think of prompt injection as “getting the AI to say something it shouldn’t.” DuneSlide is the first CVE-scored proof that prompt injection can own your machine. The attack chain — malicious content plants instructions, agent executes them, sandbox falls — will generalize to every AI tool that lets agents take real-world actions based on external input. That is most of them.\n\nMCP makes this worse, not because MCP is inherently broken, but because it dramatically expands what “external input” can mean. A single MCP server returning a crafted response is all an attacker needs. Cato’s [full technical disclosure](https://www.catonetworks.com/blog/duneslide-two-critical-rce-vulnerabilities/) details how both bugs chain through MCP in practice. OWASP puts 73% of live AI rollouts as open to prompt injection. DuneSlide is what that number looks like when someone actually exploits it.\n\nAI IDE sandboxes were designed to prevent accidents. They were not designed to stop adversaries. That threat model needs updating — and so does every developer’s assumption that the AI assistant is only helping them, rather than potentially being steered by someone else entirely. Read the [full security advisory coverage](https://thehackernews.com/2026/07/critical-cursor-flaws-could-let-prompt.html) and the [enterprise risk assessment](https://www.csoonline.com/article/4191923/sandbox-bypass-flaws-in-cursor-ide-highlight-prompt-injection-as-an-rce-vector.html) for additional context on the broader implications.", "url": "https://wpnews.pro/news/duneslide-critical-cursor-ide-flaws-allow-zero-click-rce", "canonical_source": "https://byteiota.com/duneslide-critical-cursor-ide-flaws-allow-zero-click-rce/", "published_at": "2026-07-04 05:07:51+00:00", "updated_at": "2026-07-04 05:29:46.805571+00:00", "lang": "en", "topics": ["ai-safety", "ai-tools", "ai-agents", "large-language-models", "developer-tools"], "entities": ["Cursor IDE", "Cato AI Labs", "DuneSlide", "CVE-2026-50548", "CVE-2026-50549", "MCP", "Model Context Protocol", "Cursor 3.0"], "alternates": {"html": "https://wpnews.pro/news/duneslide-critical-cursor-ide-flaws-allow-zero-click-rce", "markdown": "https://wpnews.pro/news/duneslide-critical-cursor-ide-flaws-allow-zero-click-rce.md", "text": "https://wpnews.pro/news/duneslide-critical-cursor-ide-flaws-allow-zero-click-rce.txt", "jsonld": "https://wpnews.pro/news/duneslide-critical-cursor-ide-flaws-allow-zero-click-rce.jsonld"}}