Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1913+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. 2-Click Cursor Exploit Enables Dev Environment Takeover
2-Click Cursor Exploit Enables Dev Environment Takeover
NEWS

2-Click Cursor Exploit Enables Dev Environment Takeover

DeepJack: two clicks in Cursor IDE silently installs a malicious MCP server with full user privileges, stealing source code and secrets. Unpatched in July 2026.

Dylan H.

News Desk

July 16, 2026
5 min read

Two Clicks to Full Compromise

Adversa AI published research on July 15, 2026 detailing DeepJack — a two-click attack chain targeting Cursor IDE that installs a malicious Model Context Protocol (MCP) server with full user-level privileges. The exploit requires no authentication, no prior foothold, and no user-supplied credentials: just two clicks on what appears to be a routine pull request link.

Cursor has over 7 million active users and more than 50,000 company deployments. As of time of publication, Cursor 3.9.8 remains vulnerable.

How DeepJack Works

The attack exploits two classic, well-understood vulnerability classes — argument injection and UI deception — combined in a new context.

Click 1: The Disguised Link

Attackers craft a URL that appears to be a standard GitHub pull request review link. However, the URL uses double URL encoding to hide an mcp/install deeplink URI inside it. When a developer clicks the link, Cursor's deeplink handler processes it and silently initiates an MCP server installation — without the developer understanding they've triggered an install flow rather than navigating to a PR.

Click 2: The Deceptive Dialog

A confirmation dialog appears, which seems to show the MCP server details the user is approving. The problem is the dialog renders the command string in a single-line text box. The malicious payload is padded with whitespace to push it off-screen — so the truncated content the developer sees looks benign, while the actual malicious command is scrolled out of view.

The developer clicks "Confirm."

A malicious MCP server is now installed and running with full user-level privileges. There is no sandboxing layer for installed MCP servers in Cursor.

What Attackers Get

  • Complete access to source code repositories the developer has open
  • All credentials, API keys, and tokens stored in the environment
  • Ability to install persistent malware or backdoors
  • Lateral movement paths into the developer's employer's corporate systems and CI/CD pipelines

A Cluster of Cursor Vulnerabilities

DeepJack is not an isolated finding. July 2026 saw multiple independent Cursor vulnerability disclosures, indicating broad security research attention on AI-assisted coding environments:

Mindgard 0-day (disclosed July 14, 2026) — After 7 months of no response from Cursor's security vendor, Mindgard disclosed a zero-interaction RCE: placing a malicious binary named git.exe in a repository root causes Cursor to execute it automatically when the project is opened. No user clicks required.

DuneSlide (Cato AI Labs, CVE-2026-50548 + CVE-2026-50549, CVSS 9.8) — Zero-click RCE via prompt injection. Attacker-controlled content from an MCP server or poisoned web search result causes Cursor's AI agent to overwrite the cursorsandbox binary, fully escaping the sandbox. Patched in Cursor 3.0 (April 2, 2026).

CVE-2026-26268 (Novee Security) — Cursor's AI coding agent autonomously executes Git operations including pre-commit hooks, which can be weaponized by embedding malicious hooks in bare repositories hidden inside legitimate-looking repos.

Patch Status

VulnerabilityStatus (as of 2026-07-15)
DeepJack (Adversa AI)Unpatched — Cursor 3.9.8 vulnerable
Mindgard 0-dayUnpatched
DuneSlide (CVE-2026-50548/50549)Patched in Cursor 3.0+
CVE-2026-26268Patch status not confirmed

Mitigations

While waiting for a patch, developers and security teams can reduce exposure:

Inspect all deeplinks before clicking. Be suspicious of any link that triggers a Cursor install dialog, especially if received via PR comments, email, or chat.

Treat mcp/install deeplinks as potentially malicious. Organizations can add browser extension rules or corporate proxy policies to warn on cursor://mcp/install URI schemes.

Audit installed MCP servers. Review your Cursor MCP configuration file and remove any servers you did not explicitly and knowingly install.

Allowlist approved MCP servers at the org level. Cursor supports configuration management — restrict which MCP servers can be installed in managed developer environments.

Apply behavioral monitoring. Since the vulnerability is unpatched, detection is the fallback. Monitor for unusual process launches from Cursor, unexpected network egress from development machines, and credential access patterns after IDE activity.

Adversa AI's recommended fix is straightforward: Cursor should render the arguments field in the install confirmation dialog as multiline, so the full command is always visible before the user confirms.

Why This Matters

AI coding assistants have become deeply integrated into developer workflows and hold a privileged position on developer machines — open repositories, cached credentials, cloud provider tokens, and access to internal tooling. They are an increasingly attractive target for attackers who want to compromise a developer's machine as a stepping stone into a larger corporate environment.

The MCP ecosystem extends this attack surface further: third-party MCP servers can be installed from arbitrary sources and execute with full user privileges. As the ecosystem expands, the install surface for supply chain attacks grows with it.

The pattern Adversa documented — disguising an mcp/install trigger as a benign link, then obscuring the payload in the confirmation dialog — is a social engineering primitive that will likely be replicated in other AI tooling as MCP adoption broadens.

References

  • Adversa AI — DeepJack: Cursor Deeplink Vulnerability
  • Dark Reading — 2-Click Cursor Exploit Enables Dev Environment Takeover
  • Mindgard — Cursor 0-day: When Full Disclosure Becomes the Only Protection Left
  • Cato Networks — DuneSlide: Two Critical RCE Vulnerabilities via Prompt Injection in Cursor IDE
  • Novee Security — CVE-2026-26268: AI Coding Agent Runs Exploits in Cursor IDE
  • SecurityWeek — Unpatched Cursor Vulnerability Exposes Users to Code Execution
#Cursor IDE#MCP#AI Tools#Developer Security#RCE#Supply Chain#Exploit

Related Articles

Trojanized MCP Server Deploys StealC Infostealer Targeting

A SmartLoader campaign distributes a trojanized Model Context Protocol (MCP) server disguised as Oura Health's legitimate tool, deploying StealC...

2 min read

Cursor Flaw Lets Malicious Cloned Repositories Trigger Windows Code Execution

A design flaw in the Cursor AI code editor on Windows executes any file named git.exe found in the root of a cloned project directory — automatically, with no prompt or warning, simply by opening the repository. Malicious repositories can weaponize this to steal SSH keys, cloud tokens, and source code on first open.

5 min read

'Ghostcommit' Hides Prompt Injection in Images to Fool AI Agents and Steal Secrets

Security researchers have demonstrated 'Ghostcommit,' a technique that embeds prompt injection payloads inside PNG images to bypass AI code review tools...

4 min read
Back to all News