Critical RCE Vulnerabilities in Cursor IDE Enable Zero-Click Prompt Injection Attacks

Critical RCE Vulnerabilities in Cursor IDE Enable Zero-Click Prompt Injection Attacks

First seen 1 Jul 2026, 20:16 UTC CybersecuritynewsRedditLetsdatascienceradar.offseq.comCsoonline+6 88% similarity 72.6
Share:

Article Content

Browse articles
ThreatCluster

Cato AI Labs disclosed two critical remote code execution (RCE) vulnerabilities in Cursor IDE, tracked as CVE-2026-50548 and CVE-2026-50549. These vulnerabilities allow attackers to exploit zero-click prompt injection, enabling arbitrary code execution without user interaction. The flaws arise from improper handling of the working directory and symlink resolution within Cursor's sandboxed environment. This attack vector is particularly dangerous as it can be triggered by benign prompts that ingest malicious content from untrusted sources. The vulnerabilities have a CVSS score of 9.8, indicating a critical severity level. Cursor IDE is widely used, with over half of Fortune 500 companies relying on it. A patch was released in April 2026, but systems not updated remain vulnerable. Users are advised to avoid processing untrusted content until a confirmed fix is implemented.

Key Points: • CVE-2026-50548 and CVE-2026-50549 allow zero-click RCE via prompt injection. • The vulnerabilities exploit flaws in Cursor IDE's sandboxing mechanisms. • A patch was released in April 2026; unpatched systems remain at risk.

ThreatCluster AI

Timeline

2026-04-02
Patch released for Cursor IDE
Cursor IDE version 3.0 was released, addressing the critical vulnerabilities CVE-2026-50548 and CVE-2026-50549.
Csoonline
2026-06-25
CVE-2026-50548 and CVE-2026-50549 published
Cato AI Labs disclosed two critical RCE vulnerabilities in Cursor IDE, enabling zero-click prompt injection attacks.
Gbhackers
Recent
Vulnerabilities disclosed publicly
Cato AI Labs publicly disclosed the vulnerabilities, emphasizing the risk of zero-click attacks in AI-assisted development environments.
radar.offseq.com

Community

Browse all →