alexi.sh
All articlesBrowser securityNetwork privacyPrivacy toolingThreat modelingAI codingDev tooling

alexi.shAI Engineering Lab

ai-coding

Critical Cursor Flaws (DuneSlide): Zero-Click RCE via Prompt Injection, Fixed in 3.0

PrivSec Lab4 min read
A code editor on a dark screen showing HTML source code with a top menu bar

Cato AI Labs disclosed two critical Cursor flaws nicknamed DuneSlide (CVE-2026-50548 and CVE-2026-50549, CVSS 9.8). They allow zero-click remote code execution via indirect prompt injection. Here is how they work and why they are already fixed in Cursor 3.0.

Cato AI Labs has disclosed two critical flaws in Cursor, the AI code editor. The pair is nicknamed DuneSlide. According to Cato AI Labs, both carry a critical CVSS score of 9.8. The good news comes first: they are already fixed in Cursor 3.0. If you want the wider safety picture, our is Cursor AI safe guide and our AI agent security overview help.

What Cato AI Labs found

According to Cato AI Labs, its researchers found two flaws in Cursor. Cato named the pair DuneSlide. The flaws got two IDs: CVE-2026-50548 and CVE-2026-50549. Both hold a critical CVSS score of 9.8, the top band. Cato AI Labs shared the details on 1 July 2026.

Cato also notes how widely Cursor is used. According to Cato AI Labs, more than half of the Fortune 500 use it. So a flaw here reaches many teams.

How the DuneSlide attack works

According to Cato AI Labs, the attack starts with indirect prompt injection. The idea is simple. You type a normal, safe prompt. The AI agent then reads outside content to help you. That content can be a web search result or a reply from an MCP server. If an attacker controls that content, they can hide orders inside it.

The agent reads those hidden orders. It treats them as your request. According to Cato AI Labs, this lets the agent break out of its sandbox. The sandbox is the safe box that keeps the agent away from the rest of your machine. Once out, the agent can run commands on your computer. Security teams call this RCE, short for remote code execution.

One detail matters. According to Cato AI Labs, the attack is zero-click. You do not click a bad link. You only run a normal prompt that happens to pull in the poisoned content.

A white humanoid robot with glowing blue eyes standing against a dark background

The two flaws in plain terms

According to Cato AI Labs, each CVE uses a different trick.

  • CVE-2026-50548: the hidden prompt tells the agent to set its working_directory outside the project folder. That lets it write files in sensitive spots, such as the cursorsandbox helper. Writing there turns the sandbox off.
  • CVE-2026-50549: the hidden prompt makes a symlink inside the project. A symlink is a shortcut that points to another file. Here it points to a file outside the project. Cursor runs a check to clean up the path. According to Cato AI Labs, when that check fails, the agent falls back to the raw symlink path, which never gets validated.

Both tricks end the same way. The agent leaves its safe box and acts on the attacker's terms.

The key point: already fixed in Cursor 3.0

Here is the part that should calm you. According to Cato AI Labs, both flaws hit only versions before Cursor 3.0. Cursor 3.0 shipped on 2 April 2026. It already fixes both. So the fix came before the public report.

The action is small: update Cursor to 3.0 or newer. Most people are already there. According to Cato AI Labs, no attacks in the wild have been reported. This is a patch-and-move-on case, not a crisis. If you are weighing tools, our Cursor vs Claude Code compare and our Cursor alternatives 2026 list can help.

The disclosure timeline

According to Cato AI Labs, the report took a few turns:

  • 19 February: Cato reported the flaws to Cursor.
  • 23 February: Cursor first rejected the report. Its threat model did not count MCP server abuse as a risk.
  • 26 February: after Cato pushed back, Cursor reopened the case.
  • Cursor 3.0: the fix shipped in that release.

The lesson is broad. As AI agents read more outside content, the MCP and web layers become part of the attack surface. Our best AI coding assistants 2026 guide covers how the main tools handle this.

What developers should do

Keep it simple. Open Cursor and check your version. If it is below 3.0, update now. If it is 3.0 or newer, you already have the fix. Treat MCP servers and web sources like any input: useful, but not always safe. Cato AI Labs found the flaws, Cursor fixed them, and you just need to stay current.

Photo: Pexels (source)

Also available in

FAQ

What is DuneSlide?
According to Cato AI Labs, DuneSlide is the nickname for two critical Cursor flaws, CVE-2026-50548 and CVE-2026-50549, both rated CVSS 9.8. Cato disclosed them on 1 July 2026. They are already fixed in Cursor 3.0.
Am I at risk?
Only if you run a Cursor version before 3.0. According to Cato AI Labs, Cursor 3.0 (released 2 April 2026) already fixes both flaws. Update to 3.0 or newer and you are covered. No active exploitation has been reported.
How does the attack work?
According to Cato AI Labs, it uses indirect prompt injection. The agent reads untrusted content, like a poisoned web search result or an MCP server reply. Hidden instructions then push the agent to escape its sandbox and run commands. It is zero-click.
What should I do?
Update Cursor to version 3.0 or newer. According to Cato AI Labs, most users already run a fixed version. Check your version in the app and update if needed.