
GuardFall: 10/11 open-source AI coding agents fail a shell trick that's been public since Bash 1.0 (1989)
Adversa AI just published research on something they're calling GuardFall — not a single CVE, but a structural gap in how AI coding agents (Hermes, OpenCode, Roo-Code, and others) validate shell commands before execution.
The core issue: these agents filter the literal text of a command against regex/wildcard patterns. But Bash rewrites that text at runtime — quote removal, $IFS substitution, command substitution — so a string that passes the filter can still evaluate to the exact dangerous command the filter was supposed to block. Tested against 11 agents, 10 failed in at least one of four bypass classes. Only Continue reportedly closed the majority of the surface.
The worst variant doesn't even need the operator to opt into anything — a malicious repo's config (e.g. an .aider.conf.yml with auto-test: true and a poisoned test command) can fire on first accepted edit.
I previously covered a related failure mode here if you want more background: CISA Confirms Langflow RCE CVE-2026-33017 — different mechanism, same root problem: AI tooling given privileged execution with a safety layer that doesn't actually model what the underlying interpreter will do.
Curious what this sub thinks: is sandboxing/credential isolation the only real fix here, or is there a filtering approach that could actually work against a shell that rewrites its own input?
https://www.techgines.com/post/guardfall-ai-coding-agent-shell-injection-vulnerability