Popular AI Coding Tool Cursor Has Flaws That Could Let Attackers Run Code on Your Computer
Security researchers found two vulnerabilities in the Cursor AI code editor that could allow an attacker to silently take control of a developer's machine — no click required.

Key points
- Researchers discovered two vulnerabilities, collectively named DuneSlide, in the Cursor AI code editor.
- The flaws allow a zero-click prompt injection attack, meaning no user interaction is needed to trigger them.
- A successful attack can escape Cursor's sandbox — the protected zone meant to keep the application's activity contained — and run any code on the victim's operating system.
- No CVE identifiers have been publicly assigned to the DuneSlide flaws at the time of writing.
- Cursor is a widely used AI-assisted code editor built on top of Microsoft Visual Studio Code.
Cursor is a code editor — a tool developers use to write software — that layers artificial intelligence assistance on top of the work. Millions of developers use it daily. That makes this week's disclosure uncomfortable reading.
Security researchers published details of two vulnerabilities they call DuneSlide. Together, the flaws create a path for attackers to take over a developer's computer without that developer doing anything wrong.
The attack technique is called zero-click prompt injection. Break that down: a prompt is an instruction fed to an AI model; injection means slipping malicious instructions into content the AI is asked to process; and zero-click means the victim never has to open a dodgy file or follow a suspicious link. The AI simply encounters the weaponised content — perhaps inside a code repository, a documentation file, or a response from an external service — and the attack fires automatically.
Could this affect ordinary developers who just use Cursor to write code?
Yes. Any developer who opens an untrusted project, pulls in code from a public repository, or asks Cursor to summarise external content could be exposed. The attack does not require the developer to make a mistake.
Once the malicious prompt triggers, the DuneSlide chain goes further. It escapes the sandbox — the walled-off environment Cursor runs code in so that problems stay contained — and reaches the underlying operating system. At that point, the attacker can read files, steal credentials stored on the machine, install further malware, or pivot deeper into a corporate network. First reported by SecurityWeek, the flaws are described as enabling full OS-level remote code execution.
The specific CVE identifiers — the standardised reference numbers used to track software vulnerabilities — had not been assigned publicly at the time of writing. Cursor's parent company had not issued a public advisory at the time this article was filed.
Developers' machines are high-value targets. They hold source code, API keys — secret passwords that connect services together — cloud credentials, and access to production systems. One compromised developer laptop can open a company's entire infrastructure.
What developers using Cursor should do now:
- Update Cursor to the latest available version immediately, and watch for a dedicated security advisory from the vendor.
- Avoid opening code repositories from unknown or untrusted sources until a patch is confirmed.
- Treat any AI-generated output that asks you to run additional commands as suspicious.
- Check your machine's credential stores — saved passwords and API keys — and rotate any that a compromised session could have accessed.



