Letsdatascience
Critical Zero-Click RCE Vulnerabilities Disclosed in Cursor IDE
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
Cato AI Labs disclosed two critical remote code execution vulnerabilities in Cursor IDE, identified as CVE-2026-50548 and CVE-2026-50549, both rated 9.8 under CVSS 3.1. These vulnerabilities allow zero-click prompt injection, enabling attackers to execute arbitrary commands without user interaction. The flaws exploit how the IDE handles working-directory parameters and symlink resolution, allowing malicious content to bypass sandbox protections. Users of Cursor IDE, particularly those on versions prior to 3.0 released on April 2, 2026, are at risk if they have not updated. The vulnerabilities were published on June 25, 2026, and no patches or workarounds are confirmed as of now. Organizations are advised to avoid processing untrusted content through the IDE's AI agent until further notice.
Key Points: • Two critical RCE vulnerabilities in Cursor IDE allow zero-click prompt injection. • CVE-2026-50548 and CVE-2026-50549 exploit sandbox handling flaws in the IDE. • Cursor IDE versions prior to 3.0 remain vulnerable; no patches confirmed yet.