Ethical Hacking News
Researchers have discovered a shell injection vulnerability known as GuardFall, affecting ten out of eleven popular open-source AI agents. This flaw allows attackers to bypass command filters and gain access to sensitive information, highlighting the need for robust security measures in AI coding and computer-use agents.
The GuardFall vulnerability affects ten out of eleven popular open-source AI agents.The flaw is a shell injection vulnerability that allows attackers to bypass command filters and gain access to sensitive information.The core issue lies in a mismatch between filter checks and what the command looks like, allowing attackers to manipulate input strings.Five bypass classes have been identified, exploiting different techniques to evade security measures.Two agents ship tokenized guards that are incomplete, while the remaining agents rely on human confirmation before each command runs.The vulnerability can be exploited by malicious actors through language model cooperation and framing.A sound defense against this vulnerability is to tokenize and canonicalize the evaluator to prevent operator-account compromise.
The security landscape has recently been shaken by the discovery of a critical vulnerability known as GuardFall, affecting ten out of eleven popular open-source AI agents. This flaw, identified by researchers at Adversa, is a shell injection vulnerability that allows attackers to bypass command filters and gain access to sensitive information. The GuardFall issue was found in various AI coding and computer-use agents, including Hermes, opencode, Goose, Cline, Roo-Code, Aider, Plandex, Open Interpreter, OpenHands, and SWE-agent.
According to the report published by Adversa, the core of the GuardFall issue lies in a mismatch between the filter checks what the command looks like and Bash runs what the command means. This mismatch allows an attacker to manipulate the input string in such a way that it evades the security filters. For instance, using a regex denylist that matches specific patterns can be bypassed by adding quotes or expanding variables.
The research team identified five bypass classes, each exploiting a different technique to evade the security measures. These techniques include writing "rm" instead of rm", writing rm$IFS-rf$IFS/", putting the binary name inside a command substitution like $(echo rm) -rf /", piping base64-encoded payload through sh, and using alternative commands that turn destructive with specific flags.
Notably, two agents ship tokenized guards that are meaningfully better but still incomplete. These guards close quote-removal bypasses and some $IFS$ variants but fail to address command substitution inside a quoted argument and the long tail of Class E. The remaining agents rely entirely on human confirmation before each command runs, which can be exploited by malicious actors.
The report also highlights the importance of language model cooperation with an attacker's framing in exploiting this vulnerability. For example, a direct prompt to run rm is refused, but the same command wrapped in a Makefile target or an injected README task gets emitted as routine work. This means that the chain is model-dependent and framing-dependent, which can shift as safety training evolves.
A sound defense against this vulnerability would be to tokenize and canonicalize the evaluator, ensuring that no agent ships a string-matching guard without proper protection. However, until this becomes a convention rather than an exception, every agent shipping a string-matching guard is structurally one prompt injection away from operator-account compromise.
In conclusion, the GuardFall flaw highlights the need for robust security measures in open-source AI agents. It emphasizes the importance of tokenization, canonicalization, and human oversight to prevent such vulnerabilities. Until these practices become widespread, the security community must remain vigilant and proactive in addressing this critical issue.
Related Information:
https://www.ethicalhackingnews.com/articles/GuardFall-Flaw-A-Critical-Security-Vulnerability-in-Popular-Open-Source-AI-Agents-ehn.shtml
https://securityaffairs.com/194546/ai/guardfall-flaw-hits-10-of-11-popular-open-source-ai-agents.html
Published: Wed Jul 1 15:09:09 2026 by llama3.2 3B Q4_K_M