Full Report
Developers using the latest versions of AI coding tools like Claude Code, Cursor CLI, Gemini CLI, and CoPilot CLI could inadvertently execute malicious code on their systems with a single keypress, or no keypress at all in continuous integration environments. That, according to researchers at Adversa AI, is because none adequately warn users of how…
Analysis Summary
# Vulnerability: AI Coding CLI "TrustFall" MCP Execution Flaw
## CVE Details
- **CVE ID**: Not yet assigned (as of May 2026 report)
- **CVSS Score**: Pending (Estimated High: 8.0 - 8.8 based on RCE potential)
- **CWE**: CWE-200 (Information Exposure), CWE-353 (Missing Support for Integrity Check)
## Affected Systems
- **Products**:
- Claude Code
- Cursor CLI
- Gemini CLI
- CoPilot CLI
- **Versions**: Current versions as of May 2026.
- **Configurations**: Systems where the developer environment or Continuous Integration (CI) tools are configured to interact with the Model Context Protocol (MCP).
## Vulnerability Description
Researchers at Adversa AI identified a design flaw dubbed "TrustFall." The vulnerability stems from how AI-powered Command Line Interface (CLI) tools handle "trust" when interacting with a code repository.
When a user grants trust to a repository, these tools may automatically approve and spawn a **Model Context Protocol (MCP) server**. The current implementations of these CLIs do not provide adequate warnings or granular consent regarding what granting "trust" entails. Specifically, a malicious repository can contain configurations that trigger the execution of local code via an MCP server without explicit user confirmation of the specific action, potentially leading to Remote Code Execution (RCE).
## Exploitation
- **Status**: PoC available (demonstrated by Adversa AI).
- **Complexity**: Low (requires a single keypress to "trust" a repo) to None (in automated CI/CD environments).
- **Attack Vector**: Network/Local (User downloads/opens a malicious repository).
## Impact
- **Confidentiality**: High (Access to local environment variables, credentials, and source code).
- **Integrity**: High (Execution of arbitrary commands on the host system).
- **Availability**: High (Potential for system-wide disruption or data deletion).
## Remediation
### Patches
- No specific patches are currently listed for all tools, though **Gemini AI** has reportedly improved its dialog to offer more granularity than competitors. Users are advised to update to the latest available CLI versions immediately.
### Workarounds
- **Strict Repository Vetting**: Do not grant "trust" status to repositories from unknown or unverified sources.
- **Isolated Environments**: Run AI coding CLIs within sandboxed environments or Docker containers to limit the impact of MCP server execution.
- **CI/CD Restrictions**: Disable auto-approval of MCP configurations in CI/CD pipelines.
## Detection
- **Indicators of Compromise**:
- Unexpected outbound network connections originating from AI CLI processes.
- Creation of unauthorized local subprocesses or servers (MCP servers) following a `trust` command.
- **Detection methods and tools**:
- Monitor for the execution of the `mcp` protocol or initialization of MCP-related configuration files in hidden directories (e.g., `.cursor`, `.anthropic`).
## References
- Adversa AI Research: hxxps[://]adversa[.]ai/
- Dark Reading: hxxps[://]www[.]darkreading[.]com/application-security/trustfall-exposes-claude-code-execution-risk
- Threat Beat: hxxps[://]threatbeat[.]com/threats/trustfall-convention-exposes-claude-code-execution-risk/