News

GuardFall Exposes Security Flaw in Open-Source AI Coding Agents

New research reveals a decades-old shell trick can bypass safety checks in 10 out of 11 popular AI coding agents, risking data theft and system damage.

The GuardFall research by Adversa AI highlights a widespread security flaw in open-source AI coding agents, allowing malicious commands to bypass safety checks. The vulnerability affects tools like opencode, Goose, and Plandex, emphasizing the need for better command validation.

GuardFall Research Reveals Security Flaw in AI Coding Agents

A new study by Adversa AI, dubbed GuardFall, has uncovered a significant security vulnerability in 10 out of 11 popular open-source AI coding and computer-use agents. The flaw allows attackers to bypass safety checks using a shell trick that has been known for decades, potentially leading to data theft or system damage.

The Vulnerability Explained

The issue arises because these AI agents check commands against a blocklist of dangerous patterns before execution. However, the commands are evaluated as plain text, while the shell (bash) rewrites the text before running it. This discrepancy means the filter and the shell interpret the command differently, allowing malicious instructions to slip through.

For example, a filter looking for the rm command might not flag r''m because the two strings appear different to a text matcher. However, bash removes the empty quotes and executes rm anyway. Similar techniques can hide commands in base64 or use tools like find and dd with destructive flags.

Affected Agents and Impact

The vulnerability affects 10 out of 11 tested agents, including opencode, Goose, Cline, Roo-Code, Aider, Plandex, Open Interpreter, OpenHands, SWE-agent, and Hermes. These tools collectively have approximately 548,000 GitHub stars as of May 2026. Only one agent, Continue, was found to defend against the flaw by evaluating commands the way bash would before execution.

The researchers demonstrated the attack end-to-end against the production Plandex binary and eight other agents. While no public exploitation has been reported, the potential consequences are severe, including unauthorized file deletion or theft of sensitive data such as SSH keys and cloud credentials.

How the Attack Works

Two conditions must be met for the attack to succeed:

  1. The AI must generate a malicious command, often disguised within seemingly normal work, such as a build file or documentation.
  2. The agent must run with an auto-execute flag enabled or its container sandbox disabled, which is common in automated pipelines.

Recommendations for Mitigation

While no complete fix exists, Adversa AI suggests several mitigation strategies:

  • Run agents with $HOME pointed to a temporary folder to protect sensitive files.
  • Disable auto-execute flags unless absolutely necessary.
  • Avoid allowing agents to run on pull requests from forks.
  • Treat configuration files within repositories as untrusted code.

Conclusion

The GuardFall research highlights a critical security gap in widely used AI coding agents. While Continue's approach offers a potential solution, the broader industry must adopt more robust command validation to prevent such vulnerabilities in the future.