[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fFp7QoRURRMTmLyF0n7eCe4TxrDRwUGU7PUSs37dGmL0":3},{"article":4,"iocs":51},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":28,"category":29,"article_tags":33},"5315dc2e-bca8-42e3-b2fe-70ebfabfcfe0","Critical Cursor AI IDE Flaws Could Lead to OS-Level Remote Code Execution","critical-cursor-ai-ide-flaws-could-lead-to-os-level-remote-code-execution-52b791","The DuneSlide vulnerabilities enable zero-click prompt injection attacks that escape Cursor's sandbox and execute arbitrary code on the underlying operating system. The post Critical Cursor AI IDE Flaws Could Lead to OS-Level Remote Code Execution appeared first on SecurityWeek.","Two critical vulnerabilities, DuneSlide (CVE-2026-50548 and CVE-2026-50549), have been discovered in the Cursor AI code editor, potentially enabling OS-level remote code execution. These flaws allow attackers to exploit Cursor's automatic terminal command execution and file path resolution to bypass sandbox restrictions and execute arbitrary code. Patches for these vulnerabilities were included in Cursor version 3.0.","Two critical vulnerabilities in Cursor AI IDE allow OS-level RCE via prompt injection.","Two critical vulnerabilities in the popular AI code editor Cursor could lead to remote code execution on the underlying operating system, Cato Networks reports. The security defects are tracked as CVE-2026-50548 and CVE-2026-50549 (CVSS score of 9.8) and are referred to as DuneSlide, given that they lead to remote code execution (RCE) outside of the IDE’s sandbox. According to Cato, the flaws abuse Cursor’s automatic terminal command execution inside the sandbox, which does not prompt the user for approval, and can be triggered when a victim prompts the IDE to ingest an attacker-controlled payload. The first issue is related to the sandbox’s security boundaries. While command execution should be restricted to the current working directory, a non-default value assigned to the working_directory parameter results in the path being added to the allow list. Thus, an innocuous MCP server request could inject a prompt that would instruct the LLM to set the working directory to an attacker-supplied path outside the project scope. A threat actor could overwrite the cursorsandbox executable, ensuring that “future commands run without sandbox restrictions, so future instructions within the same prompt injection lead to a non-sandboxed RCE,” Cato explains.Advertisement. Scroll to continue reading. Completely independent from this vulnerability, the second security defect affects the IDE’s file path resolution edge cases and could be exploited via symbolic links to bypass out-of-bounds write protections. An attacker could craft a prompt that, when injected in Cursor, instructs the agent to create within the project directory a symlink pointing to an outside file. A flaw in the agent’s path canonicalization logic (it attempts to resolve the symlink to determine its location and verify it is in the project’s directory) results in Cursor falling back to using the original symlink path. “A threat actor can then create a write-only symlink, thus forcing Cursor to assume the resolved path is the symlink path, rather than the target path. This fails its detection that the ultimate destination is out of bounds, allowing the threat actor to link to the cursorsandbox executable once more,” Cato explains. Cato reported the two flaws to Cursor in February. Patches for both were included in Cursor 3.0, which was released on April 2, while the CVE IDs were assigned in early June. Learn More at the AI Risk Summit | Ritz-Carlton, Half Moon Bay Related: Cursor AI Vulnerability Exposed Developer Devices Related: Several Vulnerabilities Patched in AI Code Editor Cursor Related: Decades-Old Bash Tricks Expose AI Coding Agents to Supply Chain Attacks Related: When Information Becomes the Attack Surface – Understanding AI Agent Traps Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Adobe Patches Critical ColdFusion, Campaign Classic VulnerabilitiesCitrix Patches NetScaler Vulnerabilities, Including New ‘HTTP\u002F2 Bomb’ AttackApple Patches Dozens of Vulnerabilities Across iOS, macOS, and SafariDawnguard Raises $6.3 Million for Security Architecture Automation PlatformMassive Password Spray Campaign Targeting Azure CLIAflac Japan Data Breach Impacts 4.38 MillionExploitation of Recent Oracle E-Business Suite Vulnerability BeginsCritical SimpleHelp Vulnerability Exploited for Malware Delivery Latest News New CitrixBleed Vulnerability Exploited Immediately After Public DisclosureHow to Conduct a Successful Audit of AI-Driven Software DevelopmentFortiBleed Campaign Linked to INC, Lynx Ransomware AttacksTrump Administration Lifts Restrictions on Anthropic’s Claude Models After Cybersecurity AlarmCisco Confirms In-the-Wild Exploitation of Unified CM Vulnerability‘BioShocking’ Attack Tricks AI Browsers Into Stealing CredentialsCISA Warns of Actively Exploited Microsoft SharePoint VulnerabilityMicrosoft Adds New Teams Controls to Block Unauthorized AI Bots From Meetings Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveJames Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.Rafal Los has joined Binary Defense as Chief Strategy Officer.Tracey Mustacchio has joined Everfox as Chief Marketing Officer.More People On The MoveExpert Insights How to Conduct a Successful Audit of AI-Driven Software Development As AI-generated code becomes commonplace, CISOs need new audit strategies to measure developer practices, govern AI tool usage, and identify software risks before they reach production. (Matias Madou) Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors From model selection and automation to validation and measurable results, the right questions can help enterprises separate genuine AI capabilities from marketing hype. (Joshua Goldfarb) The AI Token Costs That Can Break Cybersecurity As cybersecurity platforms embrace agentic AI, organizations must balance detection performance against the escalating costs of token consumption, deployment architecture, and AI credits. (Danelle Au) When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) What the Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) Flipboard Reddit Whatsapp Whatsapp Email","https:\u002F\u002Fwww.securityweek.com\u002Fcritical-cursor-ai-ide-flaws-could-lead-to-os-level-remote-code-execution\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2025\u002F11\u002FNPM-code-software-development.jpeg","2026-07-03T07:57:53+00:00","2026-07-03T08:00:14.701578+00:00",8,[18,21,24,26],{"name":19,"type":20},"Cursor","product",{"name":22,"type":23},"AI code editor","technology",{"name":25,"type":23},"LLM",{"name":27,"type":23},"sandbox","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":28,"icon":30,"name":31,"slug":32},null,"Vulnerabilities","vulnerabilities",[34,39,41,46],{"category":35},{"id":36,"icon":30,"name":37,"slug":38},"574f766a-fb3f-487c-8d2c-0720ae75471b","Zero-day","zero-day",{"category":40},{"id":28,"icon":30,"name":31,"slug":32},{"category":42},{"id":43,"icon":30,"name":44,"slug":45},"839da5c1-3c34-47e2-9499-f7201640e3ac","AI Security","ai-security",{"category":47},{"id":48,"icon":30,"name":49,"slug":50},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",[52,56],{"type":53,"value":54,"context":55},"cve","CVE-2026-50548","DuneSlide vulnerability in Cursor AI IDE.",{"type":53,"value":57,"context":55},"CVE-2026-50549"]