What happened
Adversa AI disclosed TrustFall (published May 7, 2026, actively circulated and cited in window): a regression in Claude Code's folder-trust dialog, combined with a settings-scope inconsistency, allowed a malicious cloned repository to run unsandboxed code with a single developer keypress — and with zero keypresses on CI runners where workspace trust is automatically granted. The same trust-dialog class of flaw affected Cursor, Gemini CLI, and GitHub Copilot. The post demonstrates why trust-dialog bugs keep re-emerging: the trust model is implemented inconsistently across project vs. local vs. policy settings scopes.
Why it matters
One-click RCE on developer workstations via a cloned repo is a low-friction, high-yield attack. Zero-click on CI runners means automated pipelines that pull and build untrusted code are silently exploitable. The four affected tools collectively represent the vast majority of AI-assisted development workflows in enterprise environments. The recurring nature of the trust-dialog regression class suggests no vendor has yet solved the underlying design problem.
Attack vector
Malicious repository embeds project-level settings that exploit trust-scope inconsistency; developer opens repo and responds to trust prompt (one click) or CI runner auto-trusts workspace (zero click); unsandboxed code executes with user privileges
Affected systems
Claude Code (versions prior to May 2026 trust-dialog hardening), Cursor, Gemini CLI, GitHub Copilot CLI — all at time of May 2026 disclosure
Mitigation
Enforce mandatory human-in-the-loop validation for all code execution actions; isolate CI runners with credential rotation; apply strict workspace-trust policies. Adversa AI advisory: https://adversa.ai/blog/trustfall-coding-agent-security-flaw-rce-claude-cursor-gemini-cli-copilot/