Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/CyberSecurity News/Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
CyberSecurity News

Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection

Key Takeaways Two critical remote code execution (RCE) vulnerabilities, collectively named “DuneSlide,” have been discovered in Cursor IDE. These flaws (CVE-2026-50548 and CVE-2026-50549)...

David kimber
David kimber
July 1, 2026 3 Min Read
3 0

Key Takeaways

  • Two critical remote code execution (RCE) vulnerabilities, collectively named “DuneSlide,” have been discovered in Cursor IDE.
  • These flaws (CVE-2026-50548 and CVE-2026-50549) allow zero-click prompt injection attacks to fully bypass Cursor’s sandbox, leading to complete system compromise.
  • The vulnerabilities affect Cursor IDE 2.x, a popular AI-powered development environment used by a significant portion of Fortune 500 companies.
  • A fix is available; users should update their Cursor IDE to the latest patched version immediately.

Security researchers have uncovered two severe remote code execution (RCE) vulnerabilities within Cursor IDE, an AI-powered development environment leveraged by a substantial number of Fortune 500 organizations. These critical flaws, dubbed “DuneSlide,” enable attackers to achieve full system compromise through a novel zero-click prompt injection technique, completely circumventing the IDE’s built-in sandbox.

Table Of Content

  • Key Takeaways
  • Vulnerability #1: Working Directory Manipulation (CVE-2026-50548)
  • Vulnerability #2: Symlink Canonicalization Bypass (CVE-2026-50549)
  • What You Should Do

Disclosed by Cato AI Labs, the vulnerabilities are tracked as CVE-2026-50548 and CVE-2026-50549, both carrying a CVSS severity score of 9.8. Their discovery highlights a concerning evolution in prompt injection attacks, demonstrating how these techniques can extend beyond merely manipulating a Large Language Model’s (LLM) output to directly exploit conventional code execution paths previously not considered part of the attack surface.

Successful exploitation of these weaknesses allows a threat actor to overwrite critical system files, including the cursorsandbox binary. This effectively transforms commands intended to run within the sandbox into fully unsandboxed RCE, jeopardizing both the local developer machine and any connected SaaS workspaces. Crucially, these bugs can be triggered without any user privileges or explicit interaction. A victim needs only to issue a seemingly harmless prompt that inadvertently incorporates attacker-controlled content from an untrusted source, such as a malicious MCP server response or a poisoned web search result.

Cursor IDE version 2.x automatically executes agent terminal commands within a sandbox, a design choice aimed at reducing user approval fatigue while simultaneously limiting the potential escalation of simple prompt injection attacks. However, the “DuneSlide” vulnerabilities demonstrate that this containment mechanism can be entirely bypassed.

Vulnerability #1: Working Directory Manipulation (CVE-2026-50548)

The first vulnerability, CVE-2026-50548, arises from how Cursor’s sandbox grants write access to a command’s working directory. The working_directory parameter, an optional and LLM-controlled component of the run_terminal_cmd tool, can be manipulated via prompt injection. This allows an attacker to direct the agent to set the working directory to an arbitrary path outside the intended project root.

By exploiting this, attackers can write to sensitive locations on the system. This includes overwriting the cursorsandbox helper application located at /Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox, or modifying critical user configuration files like ~/.zshrc and ~/Library/LaunchAgents. Such actions effectively neutralize sandbox restrictions for subsequent commands executed as part of the same injection, paving the way for full RCE.

Vulnerability #2: Symlink Canonicalization Bypass (CVE-2026-50549)

The second independent flaw, CVE-2026-50549, resides in Cursor’s path resolution logic. Through a carefully crafted prompt injection, an attacker can instruct the agent to create a symbolic link (symlink) within the project directory that points to an external file. If Cursor’s canonicalization process fails—for instance, because the symlink’s target does not exist or lacks read permissions—the agent defaults to trusting the original, unvalidated symlink path.

This bypasses out-of-bounds write checks, enabling attackers to overwrite the same critical cursorsandbox helper through the malicious symlink. This method also achieves privileged RCE without any user interaction, underscoring that even robust sandboxing mechanisms can be compromised when parameter validation and edge cases in path resolution are not thoroughly secured against prompt injection.

The “DuneSlide” findings emphasize that relying solely on sandboxing is insufficient to contain autonomous coding agents, especially when vulnerabilities related to parameter validation and path-resolution edge cases remain exploitable through prompt injection. Cato AI Labs states they are continuing to engage in responsible disclosure with other popular coding agent vendors, highlighting the urgent need for systemic, architecture-level defenses rather than isolated patches to secure the growing ecosystem of AI-driven development tools.

What You Should Do

  • Update Immediately: Ensure your Cursor IDE is updated to the latest patched version to mitigate these critical vulnerabilities.
  • Exercise Caution with Prompts: Be wary of prompts that ingest content from untrusted external sources, such as suspicious web search results or unknown MCP server responses.
  • Review Development Workflows: Assess existing development workflows that utilize AI coding agents for potential exposure to prompt injection vectors.
  • Implement Least Privilege: Adhere to the principle of least privilege for developer environments and integrated tools.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchThreatVulnerability

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Automated Password Spray Attacks Target Microsoft Azure CLI

Next Post

India Halts WhatsApp Usernames Rollout Due to Fraud Concerns

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us