What happened
Cato AI Labs disclosed two independent critical RCE vulnerabilities (both CVSS 9.8) in the Cursor AI code editor, collectively named 'DuneSlide', publicly released 2026-07-01/03. CVE-2026-50548 abuses the working_directory parameter of Cursor's run_terminal_cmd tool: when an LLM agent sets a non-default working directory (steerable via prompt injection from an MCP server response or web search result), Cursor blindly adds that path to the sandbox's allowed-write list, enabling overwrite of the cursorsandbox binary and all subsequent shell commands run without sandboxing. CVE-2026-50549 abuses a fallback in symlink canonicalization: when path resolution fails (non-existent or read-inaccessible path), Cursor trusts the un-canonicalized symlink path, letting an injected instruction create a write-only symlink from inside the project to the sandbox helper binary outside it, achieving the same escape. Both require zero user clicks — injected instructions hidden in MCP server output or web search results trigger the full chain.
Why it matters
Cursor is used by more than half of the Fortune 500. A developer simply asking Cursor to research a library or debug code while connected to a malicious (or compromised) MCP server is enough to achieve full OS-level code execution with the developer's privileges — exposing SSH keys, git credentials, AWS/GCP/Azure tokens, CI/CD pipelines, and any production system the developer can reach. Cato stated it is disclosing similar flaws in other coding agents, suggesting a structural category-wide trust-boundary gap.
Attack vector
Prompt injection embedded in MCP server responses, web search results, or attacker-crafted project files causes Cursor's LLM agent to set an arbitrary working directory or create a malicious symlink, overwriting the cursorsandbox binary and achieving unrestricted RCE on the developer's host OS.
Affected systems
Cursor IDE < 3.0 (all 2.x versions); fixed in Cursor 3.0 (released April 2026)
Mitigation
Update Cursor to version 3.0 or later immediately. Audit MCP server integrations and remove untrusted or unnecessary connectors. Avoid allowing Cursor to fetch external content from unvetted sources. Cato advisory: https://www.catonetworks.com/blog/duneslide-two-critical-rce-vulnerabilities/