Cursor's DuneSlide RCE: when your AI agent runs the terminal
Two CVSS 9.8 flaws (CVE-2026-50548/50549) turn Cursor's auto-run terminal into zero-click remote code execution. What it means for teams using AI coding agents.
Give an AI coding agent a terminal and the convenience is obvious: it runs the build, installs the package, greps the logs — no approval clicks. The risk is the same sentence with one word changed. If the agent will run any command it's told to, then anyone who can plant a command in what the agent reads can run code on your machine. That's not hypothetical anymore. Cato AI Labs published DuneSlide on July 1 — two flaws that turn Cursor's auto-run terminal into zero-click remote code execution.
What actually happened
DuneSlide is CVE-2026-50548 and CVE-2026-50549, both rated CVSS 9.8. The setup: Cursor 2.x runs terminal commands inside a sandbox by default, with no user approval — a design meant to kill approval fatigue. The two bugs let an attacker break out of that sandbox. Per The Hacker News, one abuses a non-default working_directory parameter to write outside the project scope; the other uses a symlink whose canonicalization fails, so Cursor falls back to the original path and writes where it shouldn't. Either way, the attacker overwrites the cursorsandbox binary itself — after which every "sandboxed" command runs unsandboxed on the host.
The trigger is prompt injection with no click required. Hidden instructions live in something the agent ingests on its own: a poisoned web search result, a connected MCP server, a file it's asked to read. Cato's write-up is blunt about the payoff — full compromise of the developer's machine "plus any cloud or SaaS workspaces" the editor can reach. The flaws were reported in February and fixed in Cursor 3.0, released April 2; every version before 3.0 is affected. CVE IDs landed June 5, and the public breakdown dropped July 1.
Why it matters for your business
Most small teams don't run Cursor — but "an AI agent with a terminal and no approval step" describes a lot of what shipped in the last year, from coding assistants to the automation tools quietly wired into your ops. DuneSlide is the template: prompt injection is now a remote-code-execution vector, and the exposure scales with how much autonomy you handed the agent and how much it can already touch.
Two things to do. First, the boring one: if anyone on your team or your contractors uses Cursor, confirm they're on 3.0 or later — a version older than April is a live 9.8 sitting on a machine with your repo keys and cloud credentials on it. Second, the durable one: treat auto-run as a setting you decide, not a default you inherit. An agent that executes commands should run with least privilege, read only from sources you trust, and — for anything that touches production or secrets — keep a human in the approval path. Convenience that removes the human is convenient for the attacker too.
Key takeaways
- DuneSlide = CVE-2026-50548 and CVE-2026-50549, both CVSS 9.8, in Cursor's auto-run terminal
- Zero-click: prompt injection via web results, MCP servers, or files escalates to full RCE on host and connected SaaS
- All Cursor 2.x is affected; fixed in Cursor 3.0 (April 2, 2026) — check your team's version now
- The pattern generalizes: any AI agent with unattended command execution is new attack surface — scope its permissions and trust
Wired an AI agent into your workflow and not sure what it can reach? We scope agent permissions, lock down what they read and run, and keep humans on the calls that matter. See how we build safe AI systems or book a review.
Sources: Cato Networks, The Hacker News.
- #ai-security
- #cursor
- #prompt-injection
- #coding-agents
- #rce
Tommy Rush — Founder, Rush Commerce
Operator turned builder. 15+ years running operations — now shipping the systems businesses run on. More
Get The Rush Report weekly — one email, zero fluff.
Keep reading
Ubiquiti UniFi CVSS 10: patch the box that runs your office
Ubiquiti's UniFi Connect flaw CVE-2026-50746 (CVSS 10.0) lets an unauthenticated attacker on your network run commands on the host. Patch to 3.4.20 now.
Read itJoomla page builders hit CVSS 10.0: patch your CMS now
Two Joomla page-builder extensions have unauthenticated CVSS 10.0 file-upload flaws that are already dropping web shells and hidden admin accounts. Your marketing site is attack surface.
Read it