Summary
On July 1, 2026 Cato AI Labs publicly disclosed DuneSlide, two critical (CVSS 9.8) zero-click remote-code-execution vulnerabilities in the Cursor AI code editor. A prompt injection hidden in content the agent merely reads, such as an MCP connector response or a web-search result, could escape Cursor's terminal sandbox and run arbitrary commands with no click or approval. Both flaws were fixed in the Cursor 3.0 release.
What changed
Cato disclosed CVE-2026-50548 (an attacker-controlled working_directory on the run_terminal_cmd tool grants writes outside the project root) and CVE-2026-50549 (a symlink and path-canonicalization fallback lets the agent trust an unvalidated path); both enable zero-click RCE via indirect prompt injection. Cursor fixed both in the 3.0 release, with CVE IDs assigned June 5; versions before 3.0 remain vulnerable.
Why it matters
It shows that AI coding agents' read surfaces (MCP responses, web results, repository content) are an untrusted input path that can reach OS-level code execution, raising the security bar for every agentic IDE and reinforcing sandbox, approval, and provenance controls.
Evidence excerpt
A single prompt-injected instruction hidden in content the AI agent merely reads, such as an MCP connector response or a web search result, could escape Cursor's terminal sandbox and run arbitrary commands on a developer's machine with no click or approval needed.