Using Cursor? Update It Today — Two Serious Security Holes Just Got Fixed
Security researchers found two critical flaws in Cursor, the popular AI code editor: simply opening a malicious project could let attackers run commands on your computer. The fix is easy — update to version 3.0. Here's what happened and what it teaches all of us about AI tools.
If you write code with Cursor — the editor with an AI assistant built in — here’s the short version: two serious security holes were just disclosed, both are fixed in version 3.0, and updating takes two minutes. Do that first, then come back for the story, because it’s a genuinely interesting one.
Researchers at Cato AI Labs found the two flaws (catalogued as CVE-2026-50548 and CVE-2026-50549 — a CVE is simply a public ID number for a security bug). Both scored 9.8 out of 10 on the standard severity scale, which is about as bad as it gets. The attack works through something called prompt injection: hidden instructions planted inside a project’s files. When Cursor’s AI assistant reads those files, it can be tricked into following the hidden instructions instead of yours — including quietly running commands on your machine. A related flaw, found earlier by Novee Security, used a similar trick hidden in a repository’s Git settings.
What makes this uncomfortable is how ordinary the attack looks. You download a code project — from a client, a job application test, or a link someone shared — and open it in Cursor. That’s it. No suspicious email, no “click here” moment. The AI reads the project, the trap springs, and code runs in the background without you seeing a thing.
Here’s the bigger picture worth understanding: this isn’t really a Cursor problem. Any AI assistant that can both read files and run commands has this weak spot, because the AI can’t always tell the difference between your instructions and instructions someone hid in the content it reads. Think of it like a very eager intern who does whatever the last note on their desk says — even if a stranger left it. The patches make Cursor check more carefully before acting, but the underlying pattern is one the whole industry is still learning to handle.
What this means for you: If you use Cursor, update to 3.0 now — that’s the whole to-do list. If you’re newer to AI tools, the lesson travels well beyond coding: an AI assistant that can take actions (open files, run things, send things) should only be pointed at content you trust. And if you work on a team, it’s a good week to ask what your AI tools are actually allowed to do on company machines — most are set up more permissively than anyone remembers deciding.
Sources
Source: https://cybersecuritynews.com/cursor-ide-rce-vulnerabilities/
A Nobel Prize Winner Just Switched AI Labs — Why That's a Bigger Deal Than It Sounds
John Jumper, whose AlphaFold system won a Nobel Prize for cracking a 50-year-old biology problem, has left Google DeepMind for Anthropic. Star researchers changing teams tells you more about where AI is heading than most product launches do.