Cursor Review (July 2026): New Team Pricing, the DuneSlide Patch, and the iOS App
Published July 5, 2026 · Updated July 5, 2026 · by Pondero Reviews
The short version
Two CVSS 9.8 flaws, a split Teams price, and a new iPhone app all landed on Cursor in the last month. Here is the buy/wait/skip call for solo devs, teams, and enterprise as of July 2026.
Pros
- ✓The Tab model predicts your next edit across a file, not just the next token, so it follows a rename down every call site
- ✓Composer applies one instruction across many files and shows every diff before it writes
- ✓It is a VS Code fork, so extensions, keybindings, and settings carry over on day one
- ✓The DuneSlide RCE flaws are already patched in Cursor 3.0 (shipped April 2), so a current install closes the hole
- ✓The new iOS app launches cloud agents and remote-controls desktop agents from your phone
Cons
- ✕The July 1 Teams split adds a real decision: Standard at $32/mo annual vs Premium at $96/mo annual, and picking wrong overpays or throttles power users
- ✕Both CVSS 9.8 DuneSlide flaws entered through MCP servers and web-search results, exactly the workflows Cursor's best users run, so any 2.x install is exposed until updated
- ✕Heavy Composer days exhaust the included usage pool and bill on-demand in arrears
- ✕Past roughly 50k files the codebase index lags and project-wide answers thin out
Cursor Review (July 2026): New Team Pricing, the DuneSlide Patch, and the iOS App
Three things changed on Cursor in the last month, and two of them change the buying decision. On July 1, Cursor's new Teams structure hit existing customers, splitting the old single team tier into Standard ($32/mo annual) and Premium ($96/mo annual), per Cursor's pricing blog. The same week, Cato AI Labs published DuneSlide: two CVSS 9.8 remote-code-execution flaws that let a prompt escape Cursor's sandbox, both already patched in Cursor 3.0, per Cato Networks. And the native iOS app went live June 29. The editor on your machine behaves the way it did in June. What moved is the price a team pays, the security floor you need to be above, and where you can drive an agent from.
Here is the short version before the detail. Solo devs: buy, at $16/mo on annual billing (cursor.com/pricing, as of 2026-07-05), once you confirm you are on 3.0 or later. Teams: Standard is the right default; reserve Premium for the one or two people who run agents all day. Enterprise: fine, but write a "3.0 minimum" line into your rollout policy before you widen seats, because DuneSlide is the reason.
What changed since the June review
Four dated items, in the order they matter to a buyer.
- DuneSlide disclosed (July 1, 2026). Cato AI Labs published two remote-code-execution vulnerabilities, CVE-2026-50548 and CVE-2026-50549, both rated CVSS 9.8, per Cato Networks. Both are fixed in Cursor 3.0, released April 2, per The Hacker News. The CVE IDs were only assigned June 5 and the full write-up landed after the June review published.
- Teams pricing split (effective July 1, 2026). The single Teams tier became two. Standard costs $32/mo per seat annual ($40 monthly); Premium costs $96/mo per seat annual ($120 monthly) and carries 5x the included usage at 3x the price, per Cursor's pricing blog. New customers got the structure June 1; existing customers rolled over on billing cycles starting July 1.
- iOS app shipped (June 29, 2026). The native app launches cloud agents and remote-controls desktop agents from an iPhone, per Cursor's blog and The Next Web.
- Bugbot got faster and cheaper (June 10 changelog). Average review time dropped to about 90 seconds from roughly five minutes, runs cost about 22% less, and Bugbot finds about 10% more issues per review (0.62 vs 0.56), per the Cursor changelog. That predates all of the above and is a straight product win.
The pricing change and the security disclosure are the two takeaways a buyer needs today. The rest is context.
DuneSlide: what it was, and why MCP users should care
The two flaws let a prompt injected through an MCP server or a poisoned web-search result overwrite files outside Cursor's sandbox and run arbitrary code as the logged-in user, per Cato Networks. No click, no approval box. That is the whole attack, and it is worth understanding because the entry point is a feature, not a mistake in your setup.
Cursor 2.x runs the terminal commands its agent issues inside a sandbox by default, so a stray instruction cannot wreck the machine, per Cato Networks. DuneSlide is about getting out of that box. The first flaw (CVE-2026-50548) abuses the optional working-directory parameter on the run-terminal-command tool: a prompt injection sets that path to somewhere outside the project, and the sandbox dutifully adds it to the allowed-write list. The second (CVE-2026-50549) uses a symlink whose canonicalization fails, so Cursor falls back to trusting the in-project path and writes through it. Either way, the target is the same file: the cursorsandbox binary itself. Overwrite that, and every command after it runs unsandboxed.
The reason this matters for Cursor's best users specifically: the payload arrives through an MCP server or a web-search result, per The Hacker News. Those are the exact workflows a power user runs. Connect the agent to a Linear or GitHub MCP, let it search the web mid-task, and you have opened the two channels DuneSlide travels down. A developer who runs Cursor as a plain editor with no MCP connections has a smaller surface. A developer who wires it into five services has the full one.
The fix is not something you build. It shipped. Both bugs are patched in Cursor 3.0, released April 2, and every version before 3.0 is affected, per The Hacker News. The action is one line:
# Confirm your Cursor version is 3.0 or later (Help > About, or the CLI):
cursor --version
If that prints anything below 3.0, update before you run another agent task. For a team, this is not a per-developer nicety. Cato's timeline shows Cursor first rejected the report in February on the grounds that its threat model did not account for MCP misuse, then re-opened it after escalation, per Cato Networks. The lesson for a rollout policy is concrete: pin a minimum version, and treat MCP connections as part of your attack surface, not as free plumbing.
What the Tab model actually does
This is the reason to pay, and the reason has not changed. Ordinary autocomplete answers one question: given where your cursor sits, what comes next. Cursor's Tab model answers a different one. Given the edit you just made, where do you go next and what do you type there.
Rename a struct field and Tab queues the call-site fixes down the file. You cycle through them with Tab, Tab, Tab. That is a diff predictor trained on edit sequences, so it tracks a refactor in progress instead of guessing one line in isolation.
The accuracy is not uniform, and the reason is mechanical. On typed code the model has type information to constrain the next edit, so the call-site predictions during a rename hold up. On untyped Python the same feature degrades, because the constraint that made the prediction cheap is gone. If most of your work is dynamic and untyped, discount the headline feature. That single variable decides whether Cursor earns its price for you more than any pricing tier does.
Composer is the same idea across many files: one instruction, a set of diffs, every one shown before it writes. Its failure mode is worth naming, because it compounds. A wrong edit in the first file becomes context for the second, so a bad assumption spreads down the change set before any test runs. Keep Composer changes small enough to read every diff, and it handles multi-file refactors a chat-window tool structurally cannot.
Pricing as of July 2026
The individual side is unchanged; the team side is where the July 1 restructure bites. Every tier includes a set amount of model usage and then bills on-demand in arrears, per cursor.com/pricing.
| Plan | Annual (per seat/mo) | Monthly (per seat/mo) | Source |
|---|---|---|---|
| Hobby | Free | Free | cursor.com/pricing |
| Individual (Pro) | $16 | $20 | cursor.com/pricing |
| Teams Standard | $32 | $40 | pricing blog |
| Teams Premium | $96 | $120 | pricing blog |
| Enterprise | Custom | Custom | quote-only, cursor.com/pricing |
Figures as of 2026-07-05, per cursor.com/pricing and Cursor's pricing blog (Jun 1, 2026). Teams Standard carries two usage pools (Composer/Auto and third-party API); Premium adds 5x Standard's included usage at 3x the seat cost.
The team math is the new part. Cursor's own framing: a small number of power users on any team drive the majority of on-demand spend, so Premium exists to make those users predictable, at 5x the included usage for 3x the seat price, per Cursor's pricing blog. Read that the other way and it tells you how to buy. Put everyone on Standard. Watch the admin dashboard for the two or three seats that keep spilling into on-demand billing. Move only those to Premium. Buying Premium across the whole team because a few people are heavy is how you overpay, and Cursor lets you mix seat types freely, so you do not have to.
The iOS app, briefly
The native iPhone app went live June 29 in public beta for paid plans. It does two things: launches cloud agents that run in the background and lets you supervise them from your phone, and remote-controls an agent already running on your desktop, with voice input and slash commands, per Cursor's blog and The Next Web. It matters most to developers who already run long cloud-agent jobs and want to check or redirect them away from the keyboard; it does not turn a phone into a full editor. Our news coverage has the full feature rundown.
Who should buy, and who should wait
Split it by buyer, because the two changes this month hit each one differently.
Solo developers: buy. The Tab model pays for itself in recovered edit time, the switch off VS Code is a config import rather than a tooling rebuild, and $16/mo on annual billing (cursor.com/pricing) is a low-stakes bet. DuneSlide does not change that call; it just adds a prerequisite. Update to 3.0 or later first, then subscribe. If you run any MCP servers, that update is not optional.
Teams: Standard first, Premium by exception. The July 1 split is the real decision now, and it is easier than it looks. Standard at $32/mo annual per seat covers most developers, per Cursor's pricing blog. Premium at $96/mo annual is worth it only for the seats that consistently blow through the included pool. Start everyone on Standard, let the usage dashboard show you who the heavy users are, and upgrade those seats individually. The candid con: the two-pool structure and the seat-mixing math mean an admin now has to watch usage instead of setting one price and forgetting it.
Enterprise: fine, with a version floor. The utility argument is unchanged, but DuneSlide changes your rollout checklist. Require Cursor 3.0 or later as a hard minimum before you widen seats, treat MCP connections as part of the attack surface in your security review, and ask your account rep how the sandbox model has changed since 3.0. None of that is a reason to skip Cursor. It is the reason to deploy it deliberately.
Heavy-monorepo teams: look harder regardless. If your daily work lives in a 50k-plus-file repo, the index lag erodes the project-aware features that justify the price, and no pricing tier fixes that. A lighter editor plus a separate model may serve you better.
The verdict
Cursor is still the strongest AI editor in mid-2026, and the Tab model's next-edit prediction is why. The rating drops half a point to 4.4, and the reason is the two changes this month, not the editor. DuneSlide is a genuinely serious sandbox-escape class (CVSS 9.8, patched in 3.0), and the Teams split adds real pricing complexity where there used to be one number. Neither breaks the tool. Both mean you have to think a little harder before you buy.
For a solo developer, it is a clear buy at $16/mo annual (cursor.com/pricing), update to 3.0 first. For a team, put everyone on Standard ($32/mo annual) and promote only the power users to Premium ($96/mo annual) once the usage data tells you who they are, per Cursor's pricing blog. For enterprise, deploy it, but pin a 3.0 minimum and read MCP connections as attack surface.
If you want to start, pull the current tiers from Cursor's pricing page, confirm your version is 3.0 or later, and import an existing VS Code profile so the only variable you are evaluating is the AI itself.
Ready to try it?
Try cursor →