Pillar Security disclosed TrustFall this week โ a class of vulnerabilities affecting the four major AI command-line coding tools: Anthropic's Claude Code, Google's Gemini CLI, Cursor CLI, and GitHub's Copilot CLI. The common pattern: each tool reads configuration files that ship inside a project, each tool will start helper programs those config files point to, and each tool asks for permission with a single dialog box that, in most cases, defaults to "yes." So an attacker who can get you to clone a malicious repository โ or open a pull request from outside contributors โ can trigger arbitrary code execution on your machine via one keystroke. The Cursor-specific instance has CVE-2026-26268; the broader pattern affects all four tools because they all made the same trust-model assumption: project-shipped config files are trustworthy.
The worst version of this is what happens in continuous integration. When Claude Code runs on a GitHub Action โ the official one Anthropic publishes โ it runs in headless mode. No terminal, no human, no dialog box even appears. A pull request from a stranger ships a malicious config file, the CI runner picks it up, and the helper program executes against whatever credentials that runner has access to: source code, deploy keys, cloud secrets, internal tools. Pillar's writeup walks through how the attack chain only requires one prerequisite (the AI agent autonomously executing commands from a repo it doesn't own), and that's exactly the workflow these tools are designed for. The root cause for Cursor was a feature interaction in Git that becomes exploitable the moment an AI agent autonomously executes Git operations in an untrusted repository. The other three tools have variants of the same root cause: the AI did exactly what its config said to do, the config came from an attacker, and the model isn't auditing config provenance.
The broader point is something the AI-coding-tools category has had to learn the hard way: agents that execute code on your behalf inherit your blast radius. If you have a credential that can deploy to production, the AI you're using has that credential too. Auto-approval dialogs that default to yes are the security equivalent of the early-2000s "do you want to run this ActiveX control" prompts โ a checkbox that hides a permission grant. For developers using these tools casually (one-off scripts, personal projects), the practical risk is contained. For developers using them at work โ especially in CI pipelines, on machines with company credentials, or in environments with privileged access โ the risk model needs an update. The TrustFall pattern is going to keep finding variants until the entire category shifts from "AI executes by default unless you stop it" to "AI proposes by default unless you approve it" โ which is closer to what Anthropic shipped with Claude Code Auto Mode last week (covered here), but isn't yet the default elsewhere.
What to do now. For Claude Code users: update to the version with the CVE patch, audit your CI pipelines for any AI-agent action running on PR triggers from outside contributors, and check whether any project config files are read by agents during your build. For Cursor users: update past CVE-2026-26268 explicitly. For Gemini CLI and Copilot CLI users: check vendor advisories โ patches are rolling out at varying speeds. For everyone using AI coding tools: the trust model where config files ship inside repos is convenient but compromised; treat untrusted repositories the way you'd treat email attachments from strangers. The broader category-level signal: AI coding tool security is now a recognized class of vulnerability, and the research will keep finding more. Auto-approval is the failure mode to design out, not the feature to leave on by default.