New research from Adversa AI, dubbed ‘GuardFall,’ reveals that ten out of eleven popular open-source AI coding agents are vulnerable to a decades-old shell injection technique. The bypass exploits a mismatch between how agents filter commands as plain text and how Bash interprets them, allowing attackers to execute malicious commands like file deletion or credential theft.
The vulnerability affects agents including opencode, Goose, Cline, Roo-Code, Aider, Plandex, Open Interpreter, OpenHands, SWE-agent, and the Hermes project. Only the ‘Continue’ agent was found to have built-in defenses by parsing commands as Bash would. The attack requires the AI to generate a malicious command (e.g., hidden in a build file) and the agent to run with auto-execute enabled, common in automated pipelines.
Adversa demonstrated a full attack against the production Plandex binary. No public exploitation has been reported. Mitigations include running agents with restricted home directories, disabling auto-execute flags, avoiding execution on pull requests from forks, and treating repository config files as untrusted code.
CVEs: CVE-2026-20245
Companies: Adversa AI
Products: opencode, Goose, Cline, Roo-Code, Aider, Plandex, Open Interpreter, OpenHands, SWE-agent, Hermes, Continue, Claude Sonnet 4.6
Original source: thehackernews.com