Cato AI Labs has disclosed two critical flaws in Cursor, the AI code editor. The pair is nicknamed DuneSlide. According to Cato AI Labs, both carry a critical CVSS score of 9.8. The good news comes first: they are already fixed in Cursor 3.0. If you want the wider safety picture, our is Cursor AI safe guide and our AI agent security overview help.
What Cato AI Labs found
According to Cato AI Labs, its researchers found two flaws in Cursor. Cato named the pair DuneSlide. The flaws got two IDs: CVE-2026-50548 and CVE-2026-50549. Both hold a critical CVSS score of 9.8, the top band. Cato AI Labs shared the details on 1 July 2026.
Cato also notes how widely Cursor is used. According to Cato AI Labs, more than half of the Fortune 500 use it. So a flaw here reaches many teams.
How the DuneSlide attack works
According to Cato AI Labs, the attack starts with indirect prompt injection. The idea is simple. You type a normal, safe prompt. The AI agent then reads outside content to help you. That content can be a web search result or a reply from an MCP server. If an attacker controls that content, they can hide orders inside it.
The agent reads those hidden orders. It treats them as your request. According to Cato AI Labs, this lets the agent break out of its sandbox. The sandbox is the safe box that keeps the agent away from the rest of your machine. Once out, the agent can run commands on your computer. Security teams call this RCE, short for remote code execution.
One detail matters. According to Cato AI Labs, the attack is zero-click. You do not click a bad link. You only run a normal prompt that happens to pull in the poisoned content.

The two flaws in plain terms
According to Cato AI Labs, each CVE uses a different trick.
- CVE-2026-50548: the hidden prompt tells the agent to set its working_directory outside the project folder. That lets it write files in sensitive spots, such as the cursorsandbox helper. Writing there turns the sandbox off.
- CVE-2026-50549: the hidden prompt makes a symlink inside the project. A symlink is a shortcut that points to another file. Here it points to a file outside the project. Cursor runs a check to clean up the path. According to Cato AI Labs, when that check fails, the agent falls back to the raw symlink path, which never gets validated.
Both tricks end the same way. The agent leaves its safe box and acts on the attacker's terms.
The key point: already fixed in Cursor 3.0
Here is the part that should calm you. According to Cato AI Labs, both flaws hit only versions before Cursor 3.0. Cursor 3.0 shipped on 2 April 2026. It already fixes both. So the fix came before the public report.
The action is small: update Cursor to 3.0 or newer. Most people are already there. According to Cato AI Labs, no attacks in the wild have been reported. This is a patch-and-move-on case, not a crisis. If you are weighing tools, our Cursor vs Claude Code compare and our Cursor alternatives 2026 list can help.
The disclosure timeline
According to Cato AI Labs, the report took a few turns:
- 19 February: Cato reported the flaws to Cursor.
- 23 February: Cursor first rejected the report. Its threat model did not count MCP server abuse as a risk.
- 26 February: after Cato pushed back, Cursor reopened the case.
- Cursor 3.0: the fix shipped in that release.
The lesson is broad. As AI agents read more outside content, the MCP and web layers become part of the attack surface. Our best AI coding assistants 2026 guide covers how the main tools handle this.
What developers should do
Keep it simple. Open Cursor and check your version. If it is below 3.0, update now. If it is 3.0 or newer, you already have the fix. Treat MCP servers and web sources like any input: useful, but not always safe. Cato AI Labs found the flaws, Cursor fixed them, and you just need to stay current.



