[NEWSLETTER]score: 0.86

Patched Cursor Flaw Enabled Unauthenticated RCE via Prompt Injection and Tunnel Hijack

June 9, 2026

A now-patched Cursor vulnerability chained indirect prompt injection with a shell parser bypass to hijack the cursor-tunnel binary, granting unauthenticated shell access through Microsoft Dev Tunnels. The flaw required Cursor's built-in command sandbox to fail to block shell built-ins, enabling full sandbox breakout.

HOW THIS AFFECTS YOU

●

builderUpdate Cursor immediately if not already patched; this attack chain — prompt injection to sandbox escape to tunnel hijack — is a template to audit in any AI coding tool that executes shell commands.

●

policyThe exploit demonstrates that AI coding assistants with shell access create novel prompt-injection-to-RCE attack surfaces that existing sandboxing guidance doesn't fully address.

read original ↗straiker.ai

← back to feed