Critical Zero-Click RCE Vulnerabilities Disclosed in Cursor IDE

Critical Zero-Click RCE Vulnerabilities Disclosed in Cursor IDE

First seen 1 Jul 2026, 20:16 UTC CybersecuritynewsRedditLetsdatascienceradar.offseq.com 83% similarity 69.8
Share:

Article Content

Browse articles
ThreatCluster

Cato AI Labs disclosed two critical remote code execution vulnerabilities in Cursor IDE, identified as CVE-2026-50548 and CVE-2026-50549, both rated 9.8 under CVSS 3.1. These vulnerabilities allow zero-click prompt injection, enabling attackers to execute arbitrary commands without user interaction. The flaws exploit how the IDE handles working-directory parameters and symlink resolution, allowing malicious content to bypass sandbox protections. Users of Cursor IDE, particularly those on versions prior to 3.0 released on April 2, 2026, are at risk if they have not updated. The vulnerabilities were published on June 25, 2026, and no patches or workarounds are confirmed as of now. Organizations are advised to avoid processing untrusted content through the IDE's AI agent until further notice.

Key Points: • Two critical RCE vulnerabilities in Cursor IDE allow zero-click prompt injection. • CVE-2026-50548 and CVE-2026-50549 exploit sandbox handling flaws in the IDE. • Cursor IDE versions prior to 3.0 remain vulnerable; no patches confirmed yet.

ThreatCluster AI

Timeline

2026-04-02
Cursor IDE version 3.0 released
Cursor IDE 3.0 was released, which includes patches for the disclosed vulnerabilities.
Letsdatascience
2026-06-25
CVE-2026-50548 and CVE-2026-50549 published
Cato AI Labs disclosed two critical RCE vulnerabilities in Cursor IDE, allowing zero-click prompt injection.
radar.offseq.com
2026-07-01
Current status of vulnerabilities
As of July 1, 2026, no patches or workarounds are confirmed for CVE-2026-50548 and CVE-2026-50549.
Cybersecuritynews

Community

Browse all →