Critical Flaws in Cursor AI IDE Expose OS-Level RCE Vulnerability and Security Risks

www.news4hackers.com-critical-flaws-in-cursor-ai-ide-expose-os-level-rce-vulnerability-and-security-risks-critical-flaws-in-cursor-ai-ide-expose-os-level-rce-vulnerability-and-security-risks

Severe vulnerabilities in the Cursor AI code editor could enable remote code execution on the host operating system, according to Cato Networks.

Overview of the Vulnerabilities

Cato Networks has identified two critical vulnerabilities in the AI code editor Cursor, designated as CVE-2026-50548 and CVE-2026-50549, with a CVSS score of 9.8. These flaws, collectively named DuneSlide, allow attackers to bypass the IDE’s sandbox environment and execute code at the operating system level.

CVE-2026-50548: Sandbox Bypass via Terminal Command Execution

The first vulnerability exploits the automatic terminal command execution feature within the sandbox, which lacks user confirmation prompts. Attackers can trigger this by embedding malicious payloads in prompts that the IDE processes. The flaw stems from the sandbox’s handling of the working_directory parameter. When a non-default value is set, the specified path is added to an allow list, allowing an attacker to manipulate the working directory to an external location outside the project scope. This enables the overwrite of the cursorsandbox executable, effectively removing sandbox restrictions for subsequent commands.

CVE-2026-50549: Symbolic Link Path Resolution Flaw

The second vulnerability involves a flaw in the file path resolution logic when processing symbolic links. An attacker can craft a prompt that instructs the IDE to create a symlink within the project directory pointing to an external file. The agent’s path canonicalization process, which attempts to resolve the symlink’s location, fails to verify whether the final destination lies outside the project’s boundaries. This allows the creation of a write-only symlink, tricking the system into treating the symlink path as valid. Attackers can then use this to overwrite the cursorsandbox executable, enabling untrusted code execution.

Disclosure and Patch Details

Cato Networks disclosed these issues to Cursor in February 2026. Patches were included in Cursor 3.0, released on April 2, 2026. The CVE identifiers were assigned in early June 2026.

Implications and Recommendations

The vulnerabilities highlight the risks associated with AI-driven development tools, particularly when sandboxing mechanisms are insufficient to prevent privilege escalation. Organizations using Cursor are advised to apply the latest updates promptly to mitigate potential exploitation. The findings underscore the importance of rigorous security testing for AI-powered applications, as flaws in seemingly isolated components can have cascading effects on system integrity. Developers and security teams must remain vigilant against techniques that exploit indirect command execution and path resolution vulnerabilities.

“These flaws demonstrate how critical it is to validate sandboxing mechanisms in AI tools to prevent OS-level compromises,” said Cato Networks.



About Author

en_USEnglish