Vulnerability

DuneSlide: Critical Zero-Click RCE Bugs in Cursor IDE Put Fortune 500 Developer Machines at Risk

dark6 2 July 2026
Read Time:3 Minute, 18 Second

Two critical remote code execution (RCE) vulnerabilities dubbed DuneSlide have been disclosed in Cursor IDE, the AI-powered development environment used by more than half of Fortune 500 companies. Discovered by Cato AI Labs, both flaws carry a maximum CVSS severity score of 9.8 and are tracked as CVE-2026-50548 and CVE-2026-50549. Crucially, exploitation requires zero user interaction — a victim only needs to issue an ordinary coding prompt that happens to ingest attacker-controlled content from an untrusted source.

What Is Cursor IDE and Why Does It Matter?

Cursor is an AI-native integrated development environment built on top of Visual Studio Code. It integrates large language model capabilities directly into the coding workflow, allowing developers to run agent-style terminal commands, query MCP servers, and accept code suggestions without leaving the editor. Its adoption across financial institutions, healthcare providers, and technology companies makes any serious vulnerability in Cursor a systemic risk to software supply chains.

Cursor 2.x runs agent terminal commands inside a sandbox automatically, without prompting for user approval. DuneSlide demonstrates that this sandbox can be bypassed entirely through prompt injection, turning a routine coding session into a full system compromise.

CVE-2026-50548: Working Directory Manipulation

The first vulnerability stems from how Cursor grants write access based on a command’s working directory. The working_directory parameter of the run_terminal_cmd tool is LLM-controlled, meaning a prompt injection attack can steer the AI agent into setting the working directory to an attacker-chosen path outside the project root.

By manipulating this parameter, an attacker can direct Cursor to write to sensitive system locations, including:

  • The cursorsandbox helper binary at /Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox
  • Shell configuration files such as ~/.zshrc
  • LaunchAgent plists at ~/Library/LaunchAgents

Overwriting the cursorsandbox binary neutralizes sandbox restrictions for all subsequent commands in the same injection session, effectively granting the attacker a persistent unsandboxed RCE foothold on the victim machine.

CVE-2026-50549: Symlink Canonicalization Bypass

The second vulnerability is an independent flaw in Cursor’s path resolution logic. A prompt injection can instruct the agent to create a symlink inside the project directory pointing to an external target. When Cursor’s canonicalization step fails, the agent falls back to trusting the original, unvalidated symlink path.

This bypasses Cursor’s out-of-bounds write checks, allowing attackers to overwrite the cursorsandbox helper through the symlink chain. The result: privileged RCE with no user interaction required beyond a normal-looking coding query.

How the Attack Is Triggered

DuneSlide belongs to a dangerous new attack category: prompt injection into autonomous coding agents. Attackers only need to place malicious instructions in content the AI agent might process, such as:

  • A response from a malicious or compromised MCP (Model Context Protocol) server
  • A poisoned web search result that the agent summarizes
  • A malicious package README or repository description
  • Adversarial content embedded in a code file under review

When the agent processes this content, the injected instructions hijack the LLM behavior, steering it to execute the exploit chain without the developer ever realizing anything went wrong.

Scope and Recommended Mitigations

Both CVEs affect Cursor IDE 2.x, the current production release. Cato AI Labs disclosed the flaws responsibly and is continuing disclosure across other popular AI coding agents, warning that DuneSlide is a symptom of a broader architectural problem in how autonomous coding tools handle untrusted input.

Until a patch is available, organizations should:

  • Require manual approval for Cursor agent terminal commands wherever possible.
  • Limit MCP server connections to trusted, internally managed instances only.
  • Deploy EDR monitoring to alert on unexpected writes to application helper binaries, shell configuration files, or LaunchAgent directories.
  • Apply patches immediately once Cursor releases fixes for CVE-2026-50548 and CVE-2026-50549.

DuneSlide is a stark reminder that as AI-powered coding assistants gain autonomous capabilities, prompt injection vulnerabilities have the potential to become the most dangerous class of developer-targeting attacks in 2026 and beyond.

Leave a Reply

💬 [[ unisciti alla discussione! ]]


Se vuoi commentare su DuneSlide: Critical Zero-Click RCE Bugs in Cursor IDE Put Fortune 500 Developer Machines at Risk, utilizza la discussione sul Forum.
Condividi esempi, IOCs o tecniche di detection efficaci nel nostro 👉 forum community