The Intake
The Intake — Friday, May 8, 2026
Editor’s note
Today's edition is anchored in a security vulnerability — called TrustFall — that affects AI coding tools used in software development pipelines. The short version: a malicious contributor can include hidden configuration files in a code repository that, when processed by an AI coding assistant, execute arbitrary commands on the host machine. Researchers at Adversa AI disclosed the issue on May 7, naming Claude Code, Gemini CLI, Cursor CLI, and GitHub Copilot CLI as affected.
The more consequential detail sits one layer deeper. Most readers will picture a developer on a laptop being asked to approve a prompt before anything runs — and yes, that one-click approval gate exists in the desktop version of these tools. But when the same tools run inside automated pipelines (the kind that validate code contributions without human eyes on each step), there is no prompt. The gate is simply not there. That transforms a one-click attack into a zero-click one, and the exposure shifts from individual developers to any engineering team that routes outside contributor branches through an automated agent.
Anthropic declined to assign a CVE to TrustFall, treating user acceptance of the approval dialog as sufficient consent. On the same day, Microsoft patched two separate, critical-severity code-execution vulnerabilities in its Semantic Kernel AI framework — a different product, but the same underlying pattern: untrusted content crossing a boundary and reaching executable code. Two stories, one emerging shape.
The operators section today covers what teams running automated pipelines should check now.
On the substrate
Cloned repositories trigger one-click RCE in Claude Code, Gemini CLI, Cursor, and Copilot CLI on folder-trust acceptance
Adversa AI Help Net Security The Register
A cloned repository can ship .mcp.json and .claude/settings.json files that configure an unsandboxed MCP server; when a developer opens the folder and accepts the standard folder-trust dialog — default response "Yes" — the MCP server executes with full host privileges. Adversa AI disclosed the chain on May 7 as TrustFall, naming Claude Code v2.1.129, Gemini CLI, Cursor CLI, and GitHub Copilot CLI as affected. Three earlier CVEs in the same pattern were assigned over the preceding disclosure cycle (CVE-2025-59536, CVE-2026-21852, CVE-2026-33068). Anthropic's security team declined the report as outside its threat model: the company treats user acceptance of the folder-trust dialog as consent to the full project configuration, and no CVE was assigned for TrustFall itself. The structural point is that the trust dialog is a single binary gate covering arbitrary executable configuration, and the attack vector is the cloned repository rather than the prompt.
Microsoft Semantic Kernel patches CVSS 9.9 and 10.0 RCE flaws across Python and .NET SDKs
Microsoft Security Blog GitHub Advisory GHSA-xjw9-4gw8-4rqx NVD CVE-2026-26030 NVD CVE-2026-25592
Two RCE vulnerabilities in Semantic Kernel landed on the same May 7 Microsoft Security Blog post. CVE-2026-26030, CVSS 9.9, sits in the Python SDK's InMemoryVectorStore filter functionality: a crafted filter expression reaches a Python AST-traversal payload through an eval() sink. The fix ships in semantic-kernel python-1.39.4. CVE-2026-25592, CVSS 10.0, sits in the .NET SDK's SessionsPythonPlugin: the DownloadFileAsync and UploadFileAsync methods do not validate the localFilePath parameter, which makes the path-traversal-to-arbitrary-file-write step the precursor to RCE. The fix ships in Microsoft.SemanticKernel.Core 1.71.0. The Microsoft post frames both flaws as instances of the same pattern — agent-framework code paths that trust untrusted inputs once the prompt boundary is crossed — and notes follow-up coverage on non-Microsoft frameworks is forthcoming. The .NET path-traversal flaw is the more severe of the two by CVSS score.
For operators
Headless CI/CD invocation of agent CLIs is the zero-click variant of TrustFall
Headless invocation of Claude Code, Gemini CLI, or Cursor CLI in CI/CD environments suppresses the folder-trust confirmation dialog entirely — the one user-initiated consent step the desktop variant requires is gone. Per Adversa AI's disclosure, any pipeline that checks out repository branches from external contributors and invokes an agent CLI against the working directory will execute attacker-controlled .mcp.json configurations without a prompt firing. The pipelines most exposed are the routine ones: PR-validation runners that call an agent CLI for review or test-generation against the contributor's branch, and any post-clone hook that invokes an agent before manual review. Audit incoming-branch pipelines this week for whether they vet project-scoped MCP settings before invoking the CLI. Where such vetting does not exist, restrict agent-CLI invocation to first-party branches until pipeline configurations explicitly allow-list or strip .mcp.json and .claude/settings.json from contributor-supplied trees.