Two Clicks to Full Compromise
Adversa AI published research on July 15, 2026 detailing DeepJack — a two-click attack chain targeting Cursor IDE that installs a malicious Model Context Protocol (MCP) server with full user-level privileges. The exploit requires no authentication, no prior foothold, and no user-supplied credentials: just two clicks on what appears to be a routine pull request link.
Cursor has over 7 million active users and more than 50,000 company deployments. As of time of publication, Cursor 3.9.8 remains vulnerable.
How DeepJack Works
The attack exploits two classic, well-understood vulnerability classes — argument injection and UI deception — combined in a new context.
Click 1: The Disguised Link
Attackers craft a URL that appears to be a standard GitHub pull request review link. However, the URL uses double URL encoding to hide an mcp/install deeplink URI inside it. When a developer clicks the link, Cursor's deeplink handler processes it and silently initiates an MCP server installation — without the developer understanding they've triggered an install flow rather than navigating to a PR.
Click 2: The Deceptive Dialog
A confirmation dialog appears, which seems to show the MCP server details the user is approving. The problem is the dialog renders the command string in a single-line text box. The malicious payload is padded with whitespace to push it off-screen — so the truncated content the developer sees looks benign, while the actual malicious command is scrolled out of view.
The developer clicks "Confirm."
A malicious MCP server is now installed and running with full user-level privileges. There is no sandboxing layer for installed MCP servers in Cursor.
What Attackers Get
- Complete access to source code repositories the developer has open
- All credentials, API keys, and tokens stored in the environment
- Ability to install persistent malware or backdoors
- Lateral movement paths into the developer's employer's corporate systems and CI/CD pipelines
A Cluster of Cursor Vulnerabilities
DeepJack is not an isolated finding. July 2026 saw multiple independent Cursor vulnerability disclosures, indicating broad security research attention on AI-assisted coding environments:
Mindgard 0-day (disclosed July 14, 2026) — After 7 months of no response from Cursor's security vendor, Mindgard disclosed a zero-interaction RCE: placing a malicious binary named git.exe in a repository root causes Cursor to execute it automatically when the project is opened. No user clicks required.
DuneSlide (Cato AI Labs, CVE-2026-50548 + CVE-2026-50549, CVSS 9.8) — Zero-click RCE via prompt injection. Attacker-controlled content from an MCP server or poisoned web search result causes Cursor's AI agent to overwrite the cursorsandbox binary, fully escaping the sandbox. Patched in Cursor 3.0 (April 2, 2026).
CVE-2026-26268 (Novee Security) — Cursor's AI coding agent autonomously executes Git operations including pre-commit hooks, which can be weaponized by embedding malicious hooks in bare repositories hidden inside legitimate-looking repos.
Patch Status
| Vulnerability | Status (as of 2026-07-15) |
|---|---|
| DeepJack (Adversa AI) | Unpatched — Cursor 3.9.8 vulnerable |
| Mindgard 0-day | Unpatched |
| DuneSlide (CVE-2026-50548/50549) | Patched in Cursor 3.0+ |
| CVE-2026-26268 | Patch status not confirmed |
Mitigations
While waiting for a patch, developers and security teams can reduce exposure:
Inspect all deeplinks before clicking. Be suspicious of any link that triggers a Cursor install dialog, especially if received via PR comments, email, or chat.
Treat mcp/install deeplinks as potentially malicious. Organizations can add browser extension rules or corporate proxy policies to warn on cursor://mcp/install URI schemes.
Audit installed MCP servers. Review your Cursor MCP configuration file and remove any servers you did not explicitly and knowingly install.
Allowlist approved MCP servers at the org level. Cursor supports configuration management — restrict which MCP servers can be installed in managed developer environments.
Apply behavioral monitoring. Since the vulnerability is unpatched, detection is the fallback. Monitor for unusual process launches from Cursor, unexpected network egress from development machines, and credential access patterns after IDE activity.
Adversa AI's recommended fix is straightforward: Cursor should render the arguments field in the install confirmation dialog as multiline, so the full command is always visible before the user confirms.
Why This Matters
AI coding assistants have become deeply integrated into developer workflows and hold a privileged position on developer machines — open repositories, cached credentials, cloud provider tokens, and access to internal tooling. They are an increasingly attractive target for attackers who want to compromise a developer's machine as a stepping stone into a larger corporate environment.
The MCP ecosystem extends this attack surface further: third-party MCP servers can be installed from arbitrary sources and execute with full user privileges. As the ecosystem expands, the install surface for supply chain attacks grows with it.
The pattern Adversa documented — disguising an mcp/install trigger as a benign link, then obscuring the payload in the confirmation dialog — is a social engineering primitive that will likely be replicated in other AI tooling as MCP adoption broadens.
References
- Adversa AI — DeepJack: Cursor Deeplink Vulnerability
- Dark Reading — 2-Click Cursor Exploit Enables Dev Environment Takeover
- Mindgard — Cursor 0-day: When Full Disclosure Becomes the Only Protection Left
- Cato Networks — DuneSlide: Two Critical RCE Vulnerabilities via Prompt Injection in Cursor IDE
- Novee Security — CVE-2026-26268: AI Coding Agent Runs Exploits in Cursor IDE
- SecurityWeek — Unpatched Cursor Vulnerability Exposes Users to Code Execution