Skip to content
AI SecurityPrompt InjectionLLMCVEVulnerability Research

Your AI coding assistant is now an attack surface: the DuneSlide story

3 min read
Share

Your AI coding assistant is now an attack surface: the DuneSlide story

What happened

On July 2, Cato AI Labs published research on two critical vulnerabilities in Cursor IDE, the AI-powered code editor used by more than half of the Fortune 500. They named the pair DuneSlide.

CVE-2026-50548 and CVE-2026-50549 each scored 9.8 on the CVSS scale. Both allow an attacker to break out of Cursor's sandbox environment and execute arbitrary commands on the developer's host machine, reaching connected SaaS workspaces along the way.

How the attack works

The entry point is indirect prompt injection. The attacker does not type into your Cursor. Instead, they plant malicious instructions inside content that Cursor's AI agent fetches on the developer's behalf: a web search result, a page returned by a connected MCP tool, a document the model reads to complete a task.

When the injected instructions are processed, they redirect Cursor's tool calls to overwrite the cursorsandbox binary, the component responsible for keeping agent-executed commands inside a safe boundary. Once that binary is replaced, every subsequent command runs without sandboxing, giving the attacker full code execution on the host.

The attack is zero-click. No phishing link, no social engineering. The developer just has the IDE open.

Why MCP makes this worse

The Model Context Protocol was designed to give AI agents broader tool access: file systems, APIs, external services. It succeeds at that. It also dramatically expands what a successful injection can reach. In this case, any MCP integration becomes a potential injection entry point. The more tools you connect to your IDE, the larger the surface.

This is not a Cursor-specific problem. It is a structural property of any AI agent with tool access and insufficient output sanitization at the boundary between LLM output and tool invocation.

Current status

Both vulnerabilities are patched in Cursor 3.0, released April 2, 2026. All prior versions are affected. The CVE IDs were assigned June 5 after Cato escalated a disclosure that was initially rejected in February.

What to do

  • Update Cursor to version 3.0 or later. All prior versions remain vulnerable to both CVEs.
  • Audit every MCP integration you have connected to your IDE and remove any that are not strictly necessary.
  • Treat all web content and MCP-sourced content fetched by your AI agent as untrusted input, because it is.

Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you are assessing your AI development environment for injection risks.