CybersecurityJuly 1, 2026· via Security Affairs

GuardFall Flaw Exposes Open-Source AI Agents to Shell Injection Risks

GuardFall Flaw Exposes Open-Source AI Agents to Shell Injection Risks

Image : Security Affairs

A critical security flaw in open-source AI coding and computer-use agents could let attackers execute unauthorized commands on users' systems. Researchers at Adversa AI discovered that ten of eleven widely used agents—including Hermes, opencode, and Goose—are vulnerable to shell injection via bypasses in their command filters. Only one agent, Continue, remained unaffected in the survey.

The Root of the Problem

The vulnerability, dubbed GuardFall, stems from a long-standing mismatch between how security filters check commands and how the Bash shell interprets them. Most agents rely on string pattern matching to block dangerous commands, but Bash rewrites commands before execution—expanding variables, removing quotes, and performing substitutions. This means a filter may approve a command like rm$IFS-rf$IFS/ as "safe," while Bash executes it as three separate arguments, effectively running rm -rf /.

Adversa identified five bypass classes, each exploiting Bash's text-processing features. Some attacks obfuscate commands using alternative syntax, while others chain benign-looking operations to achieve destructive outcomes. The most resilient bypasses involve commands like find /x -delete or install -m 4755 payload /usr/local/bin/backdoor, which bypass simple denylists focused on rm -rf.

Why Patching Isn’t Straightforward

The issue isn’t poor coding but a fundamental design flaw in how AI agents secure shell commands. Filters that deny specific patterns fail against commands rewritten by Bash or composed of multiple steps. Adversa’s research began after finding a bypass in NousResearch/hermes-agent, where a 30-pattern regex denylist was defeated by shell rewrites. Expanding such defenses to account for all possible dangerous flag combinations across POSIX utilities would require exhaustive, per-binary analysis—a daunting task for open-source maintainers.

For users, the risk lies in trusting AI agents with system access. Adversa notes that these tools often operate with full account privileges, including SSH keys and cloud credentials. While no active exploits have been reported, the potential for prompt injection attacks via untrusted content (like a poisoned README file) makes this a pressing concern for developers and organizations relying on AI-assisted coding.


Source: Security Affairs. AI-assisted editorial synthesis — TechnoExpress.

Read the original source on Security Affairs →

← Back to home