Critical Flaws in Popular AI Code Editor Put Developers at Risk of OS-Level Remote Code Execution
A recent security discovery has exposed two critical vulnerabilities in Cursor, a widely used AI code editor, which could allow attackers to execute malicious code on developers’ operating systems. The issues, tracked as CVE-2026-50548 and CVE-2026-50549, have been assigned a CVSS score of 9.8, indicating their potential severity.
The security flaws, referred to as DuneSlide, take advantage of Cursor’s automatic terminal command execution feature inside the editor’s sandbox. This allows an attacker to inject malicious code into the system without prompting the user for approval. According to Cato Networks, which reported the issues to Cursor in February, the vulnerabilities can be triggered when a victim prompts the IDE to ingest an attacker-controlled payload.
One of the flaws is related to the sandbox’s security boundaries. While command execution should be restricted to the current working directory, a non-default value assigned to the working_directory parameter results in the path being added to the allow list. This creates a vulnerability that can be exploited by injecting a prompt that instructs the LLM (Large Language Model) to set the working directory to an attacker-supplied path outside the project scope.
A threat actor could overwrite the cursorsandbox executable, ensuring that future commands run without sandbox restrictions. This would lead to a non-sandboxed remote code execution vulnerability, allowing the attacker to execute malicious code on the system with elevated privileges.
The second security defect affects the IDE’s file path resolution edge cases and could be exploited via symbolic links to bypass out-of-bounds write protections. An attacker can craft a prompt that instructs the agent to create within the project directory a symlink pointing to an outside file. The flaw in the agent’s path canonicalization logic allows Cursor to fall back to using the original symlink path, rather than the target path.
As a result, a threat actor can create a write-only symlink, forcing Cursor to assume the resolved path is the symlink path, rather than the target path. This fails its detection that the ultimate destination is out of bounds, allowing the attacker to link to the cursorsandbox executable once more.
Cursor released patches for both vulnerabilities in version 3.0 on April 2, but users who have not updated may still be at risk. The CVE IDs were assigned in early June, and developers are advised to update their systems as soon as possible to mitigate these critical flaws.
The discovery highlights the importance of regular security updates and patching in AI-driven software development environments. As more tools and applications become increasingly dependent on AI-powered features, the risk of vulnerabilities like DuneSlide increases. Developers should prioritize keeping their systems up-to-date and be aware of potential security risks associated with using AI code editors.
To stay protected, developers should immediately update to Cursor version 3.0 or later, and ensure that all dependencies are also updated. Additionally, users should exercise caution when opening unknown files or prompts in the editor, as this could potentially lead to exploitation of these vulnerabilities. By taking proactive steps to secure their systems, developers can minimize the risk of remote code execution attacks and maintain the integrity of their applications.
Source: SecurityWeek — 2026-07-03