Vulnerability  ·  2026-07-02

GuardFall — Shell-Interpretation Bypass Exposes 10 of 11 Open-Source AI Coding Agents to Supply Chain Attacks

VulnerabilityHigh impactGlobal
Adversa AI publicly disclosed GuardFall on June 30, 2026 — a structural class of shell-guard bypasses affecting 10 of 11 popular open-source AI coding and computer-use agents. The root cause is that agents validate raw command text while bash later rewrites it through expansion and substitution, making regex-based blocklists ineffective. SecurityWeek and The Hacker News both covered the disclosure on June 30–July 1, 2026. End-to-end exploitation was demonstrated against Plandex. No in-the-wild exploitation reported, but no CVE assigned yet.
AI coding agents run with the developer's full account authority. A single poisoned repository file — README, Makefile, MCP response, or package metadata — can silently exfiltrate SSH keys and cloud credentials from any developer who clones it and runs a vulnerable agent. With 10 of 11 major tools affected and millions of developers adopting AI coding agents, the supply chain blast radius is enormous.
Agents inspect raw command strings against a safety blocklist, then pass the command to bash. Bash rewrites the string via quote removal, $IFS expansion, command substitution, and encoded pipelines — decades-old shell tricks that were never accounted for in the agents' safety checks. Adversa AI (GuardFall disclosure, June 30 2026) demonstrated end-to-end exploitation against the production Plandex binary: poisoned content in a repository file triggers the agent to emit an obfuscated command that exfiltrates SSH keys, cloud credentials, and $HOME files.
Hermes, opencode, Goose, Cline, Roo-Code, Aider, Plandex, Open Interpreter, OpenHands, SWE-agent (10 of 11 surveyed); Continue is the only substantially mitigated agent
Disable auto-execute features in affected agents; isolate or redirect $HOME; avoid running agents on forked pull requests; audit repository-shipped configs; adopt tokenize-and-canonicalize command enforcement (structural parsing) rather than regex/raw-string blocklists. Monitor Adversa AI blog and individual agent changelogs for patches: https://adversa.ai/blog/opensource-ai-coding-agents-shell-injection-vulnerability
Sources
Adversa AI — GuardFall AI Coding Agents Shell Injection VulnerabilitySecurityWeek — Decades-Old Bash Tricks Expose AI Coding Agents to Supply Chain Attacks (Jun 30 2026)The Hacker News — GuardFall Exposes Open-Source AI Coding Agents to Decades-Old Shell Injection Risks
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →