What Cato found in Cursor
Cato AI Labs has disclosed two critical vulnerabilities in Cursor, the AI code editor its maker says is used by more than half the Fortune 500. Named DuneSlide and tracked as CVE-2026-50548 and CVE-2026-50549, both carry a CVSS score of 9.8 out of 10, or 9.3 on the newer 4.0 scale. Both are fixed in Cursor 3.0, released on 2 April 2026, and every earlier version is affected.
No active exploitation was recorded at disclosure. The road to a fix was not smooth. Cato reported the issue on 19 February, the vendor first rejected it on 23 February, then reopened it, shipped one fix on 1 April and the second on 1 June, and CVE numbers were assigned on 5 June.
How a web page becomes a command
The technique is prompt injection with no click. The developer never types a malicious instruction. Instead the agent reads content on the user's behalf: a response from a connected Model Context Protocol server, a page returned by a web search, or a file inside the project. That content carries hidden orders the model then follows.
The first flaw abuses the working_directory parameter. When the agent sets it to a non-default path, Cursor adds that path to its allowed-write list without checking, so an injected instruction can overwrite a system file such as the sandbox helper binary or a shell profile. The second flaw exploits a symlink check that fails open: when Cursor cannot resolve a shortcut, it trusts the in-project path and writes straight through to the same helper. Overwrite that helper and the next command runs outside the sandbox with the developer's full rights.
The reading list is now the attack surface
The uncomfortable shift is what counts as input. For years the threat model for a code editor was the code you wrote and the extensions you installed. An autonomous agent widens that to everything it reads on its own: a dependency's README, a tool result, a scraped page. Each of those is now executable instruction, and the blast radius is the operating system rather than a browser tab.
For a business that rolled AI coding assistants out to its engineers, this reframes the tool as a supply-chain component with machine-level reach, not a productivity plugin. Under NIS2 in the EU, and the equivalent duties UK firms already carry, the security of the software you deploy to staff is the board's accountability, and an unpatched agent that trusts untrusted content sits squarely inside that duty.
What owners should do this week
The immediate step is version hygiene. Confirm every developer is on Cursor 3.0 or later, because nothing before it is safe, and ask the same question of any other agentic editor or IDE assistant in use. Establish which AI tools have autonomous permission to write files or run commands, and who signed off on that.
The durable step is to treat an agent's read sources as untrusted by default. Restrict which Model Context Protocol servers a team may connect, keep agents away from unreviewed external content where you can, and require human approval for file writes outside the working project. The tooling is worth keeping; the permissions around it now need the same discipline you already apply to any component that can touch a live machine.
Read next: Jailbreak Risk Now Has a Severity Score · Your AI Agent Trusts a Poisoned Tool



