Letsdatascience
Critical RCE Vulnerabilities in Cursor IDE Enable Zero-Click Prompt Injection Attacks
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
Cato AI Labs disclosed two critical remote code execution (RCE) vulnerabilities in Cursor IDE, tracked as CVE-2026-50548 and CVE-2026-50549. These vulnerabilities allow attackers to exploit zero-click prompt injection, enabling arbitrary code execution without user interaction. The flaws arise from improper handling of the working directory and symlink resolution within Cursor's sandboxed environment. This attack vector is particularly dangerous as it can be triggered by benign prompts that ingest malicious content from untrusted sources. The vulnerabilities have a CVSS score of 9.8, indicating a critical severity level. Cursor IDE is widely used, with over half of Fortune 500 companies relying on it. A patch was released in April 2026, but systems not updated remain vulnerable. Users are advised to avoid processing untrusted content until a confirmed fix is implemented.
Key Points: • CVE-2026-50548 and CVE-2026-50549 allow zero-click RCE via prompt injection. • The vulnerabilities exploit flaws in Cursor IDE's sandboxing mechanisms. • A patch was released in April 2026; unpatched systems remain at risk.