Two RCE 9.8 Vulnerabilities in Cursor Highlight How Prompt Injection Became a Remote Execution Vector in AI IDE

Cato AI Labs released the DuneSlide on Wednesday, a pair of zero-click vulnerabilities in Cursor 3.0 that break the sandbox through instructions planted in MCP or web pages loaded by the agent.
Cato AI Labs disclosed two critical vulnerabilities in Cursor, an AI-powered code IDE used by more than half of the Fortune 500, according to the manufacturer, on Wednesday, July 1st. The vulnerabilities, tracked as CVE-2026-50548 and CVE-2026-50549, both with a CVSS score of 9.8, enable remote code execution on the developer's host from malicious content planted in a Model Context Protocol (MCP) connected service or in a webpage that the Cursor agent loads during a web search. The attack is zero-click: the developer types nothing, the agent reads the poisoned instruction and executes.
Anysphere, the manufacturer of Cursor, patched both bugs in version 3.0, released on April 2nd. The window between the patch and public disclosure is typical of coordinated disclosure but affects the entire installed base prior to 3.0. This user base, according to Cursor, includes engineering teams in consulting firms and banks that have standardized the tool in code agent pipelines over the past twelve months.
How the sandbox was broken
CVE-2026-50548 exploits a sandbox behavior. When the agent executes the run_terminal_cmd tool, Cursor allows writing to the declared working directory. The working_directory parameter is optional and controlled by the language model itself. A prompt injection that manages to set this parameter to a path outside the project, pointing to the cursorsandbox binary or to the Cursor installer, transforms a sandboxed command into arbitrary writing, and arbitrary writing in the sandbox helper turns into full RCE in the following cycle.
CVE-2026-50549 breaks path resolution. Cursor creates a symlink within the project directory, attempts to canonicalize the target, and when canonicalization fails, falls back to the original symlink path without validating it. A prompt injection that manages to plant the symlink pointing outside the project bypasses the same lock. Both chains lead to the same outcome: total compromise of the machine and the connected SaaS workspace.
Prompt injection is no longer an LLM problem
The point raised by the Cato team in the report reframes the discussion on agent security. Prompt injection has ceased to be a problem of the language model, confined to the interaction between user and chatbot, and has begun to reach classic bugs in the auxiliary code of the IDE: sandbox, canonicalization, management of working_directory. None of these components were designed with the assumption that the parameter would come from an external MCP loaded during autonomous execution. The agent is the intermediary that legitimizes the hostile input.
A study by Pillar Security published this week regarding a parallel chain, dubbed NomShub, explores the Remote Tunnel function of Cursor in the same spirit. According to the researchers, the agent pipeline has become the new security perimeter for the developer station. Application security teams that spent years writing rules to detect vulnerable dependencies in CI now need to reassess which MCPs developers are connecting to their workstations and under what approval policy.
What changes for consultancies and banks
For distributed engineering operations, the problem is geometrical. Delivery teams in Bangalore, Krakow, and São Paulo run Cursor on the same backlog of tickets, with MCPs pulling context from Jira, Slack, and Confluence from the client. A poisoned instruction within a ticket, planted by a malicious insider or an attacker with stolen credentials, propagates to any station with a pre-3.0 version. Consultancies with development centers in third countries carry the biggest blast radius because they have standardized Cursor without inventorying how many developers have upgraded to 3.0 in the last three months.
Banks that integrated Cursor into internal code review pipelines have another question to ask in line with regulatory compliance. If Cursor executes code within the sandbox under the guidance of an LLM responding to an external MCP, and if this external MCP is approved by the developer themselves without a formal change ticket, the operation constitutes a change in the attack surface that would require change approval under DORA in Europe and under SEC Rule 15c3-5 in the United States. None of these regimes were written for autonomous agents. The DuneSlide is the kind of incident that compels a conservative reading of both.