CVE-2026-30303 — Axon Code OS Command Injection via Whitelist Bypass

Executive Summary

A critical OS Command Injection vulnerability (CVE-2026-30303) has been disclosed in Axon Code, an AI-powered code assistant. The vulnerability resides in the command auto-approval module, where the product incorrectly uses a Unix-based shell-quote parser to validate and whitelist commands on Windows systems. This parser incompatibility renders the whitelist security mechanism entirely ineffective, allowing adversarially crafted commands to bypass approval controls and execute arbitrary OS commands.

CVSS Score: 9.8 (Critical) CWE: CWE-78 — Improper Neutralisation of Special Elements used in an OS Command

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2026-30303
CVSS Score	9.8 (Critical)
CWE	CWE-78 — OS Command Injection
Type	Command Injection via Security Bypass
Attack Vector	Network / Local (via AI prompt or malicious repo)
Privileges Required	None (in auto-approve context)
User Interaction	None (in auto-approve mode)
Patch Available	Pending — monitor vendor advisory

Affected Products

Product	Condition	Remediation
Axon Code (Windows)	Command auto-approval module enabled	Disable auto-approval; monitor for patch
Axon Code "Execute safe commands" mode	Auto-approval of model-judged-safe commands active	Disable; switch to manual approval

Note: This vulnerability is specific to Windows deployments due to the mismatched use of the Unix shell-quote library to parse Windows command syntax.

Technical Analysis

Root Cause

Axon Code's command auto-approval module is designed to whitelist commands deemed safe by the AI model. To implement this whitelist check, the product uses the shell-quote library — a Unix/POSIX-oriented command parser — to tokenise and analyse commands. However, on Windows systems, the command syntax differs substantially from Unix shell syntax (different quoting rules, metacharacters, and escaping mechanisms).

Because shell-quote does not understand Windows command syntax, specially crafted commands can be structured in a way that:

Appears benign when parsed through the Unix-oriented shell-quote tokeniser
Executes malicious OS commands when actually run by Windows cmd.exe or PowerShell

This discrepancy completely defeats the whitelist security control.

Attack Scenarios

Scenario A — Malicious Repository: An attacker embeds a malicious prompt or configuration file in a repository. When a developer opens the project in Axon Code with auto-approval enabled, crafted commands are injected through the AI agent's terminal execution path and bypass the whitelist check.

Scenario B — Prompt Injection: An attacker delivers a prompt injection payload (e.g., via a webpage, document, or API response that the AI agent reads). The injected prompt instructs the agent to run a command structured to bypass the shell-quote-based whitelist on Windows.

Scenario C — Supply Chain: A dependency or configuration file in a project is tampered with to include commands that exploit this bypass when auto-approval mode processes them.

Impact Assessment

Impact Area	Description
Arbitrary Command Execution	Any OS command can execute with the privileges of the Axon Code process
Data Exfiltration	Source code, credentials, SSH keys, browser data accessible from developer workstation
Persistence	Malware, backdoors, or scheduled tasks can be installed silently
Lateral Movement	Developer machines are typically high-privilege targets in corporate environments
Supply Chain Risk	Compromised developer workstations can lead to poisoned builds and commits

Immediate Remediation

Step 1: Disable Command Auto-Approval Mode

The most critical immediate action is to disable the auto-approval feature entirely.

In Axon Code settings, switch from "Execute safe commands" (auto-approval) to "Execute all commands" with manual review, or to a fully manual approval mode. Do not rely on the whitelist-based safety check on Windows.

Step 2: Review Recently Executed Commands

Examine Axon Code's command execution history and terminal logs for any unexpected or suspicious commands that may have been auto-approved.

# Review PowerShell history for suspicious entries
Get-Content (Get-PSReadLineOption).HistorySavePath | Select-Object -Last 100
 
# Review cmd.exe history (if applicable)
doskey /history

Step 3: Audit File System for Indicators

# Check for recently created scheduled tasks
Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) }
 
# Check for recently modified startup items
Get-ItemProperty HKCU:\Software\Microsoft\Windows\CurrentVersion\Run
 
# Review recently created executables in AppData
Get-ChildItem $env:APPDATA -Recurse -Include *.exe,*.bat,*.ps1 |
  Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) }

Step 4: Apply Principle of Least Privilege

Run Axon Code and AI developer tools under a low-privilege user account rather than an administrative account. This limits the blast radius if auto-execution is abused.

Detection Indicators

Indicator	Description
Unexpected processes spawned from Axon Code	Child processes with unusual names or paths
Outbound network connections from developer workstation	Unexpected C2 or exfiltration traffic
New scheduled tasks or registry run keys	Persistence mechanisms installed post-exploitation
Modified or newly created scripts in project directories	Injected payloads within the development environment

# On Windows — monitor process creation from Axon Code parent
# Use Process Monitor (Sysinternals) filtered to Axon Code PID
# Or review Windows Security Event Log for process creation events (Event ID 4688)
wevtutil qe Security /q:"*[System[EventID=4688]]" /f:text | findstr axon

Post-Remediation Checklist

Disable command auto-approval mode immediately on all Windows Axon Code installations
Audit recent command execution logs for suspicious activity
Rotate any credentials or secrets accessible from affected developer workstations
Apply least-privilege principles to AI developer tool execution contexts
Monitor the Axon Code vendor advisory channel for an official patch
Validate all project files and dependencies for unexpected modifications
Document the incident and remediation in your vulnerability management and IR systems

References

Executive Summary

CVSS Score: 9.8 (Critical) CWE: CWE-78 — Improper Neutralisation of Special Elements used in an OS Command

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2026-30303
CVSS Score	9.8 (Critical)
CWE	CWE-78 — OS Command Injection
Type	Command Injection via Security Bypass
Attack Vector	Network / Local (via AI prompt or malicious repo)
Privileges Required	None (in auto-approve context)
User Interaction	None (in auto-approve mode)
Patch Available	Pending — monitor vendor advisory

Affected Products

Product	Condition	Remediation
Axon Code (Windows)	Command auto-approval module enabled	Disable auto-approval; monitor for patch
Axon Code "Execute safe commands" mode	Auto-approval of model-judged-safe commands active	Disable; switch to manual approval

Note: This vulnerability is specific to Windows deployments due to the mismatched use of the Unix shell-quote library to parse Windows command syntax.

Technical Analysis

Root Cause

Because shell-quote does not understand Windows command syntax, specially crafted commands can be structured in a way that:

Appears benign when parsed through the Unix-oriented shell-quote tokeniser
Executes malicious OS commands when actually run by Windows cmd.exe or PowerShell

This discrepancy completely defeats the whitelist security control.

Attack Scenarios

Scenario C — Supply Chain: A dependency or configuration file in a project is tampered with to include commands that exploit this bypass when auto-approval mode processes them.

Impact Assessment

Impact Area	Description
Arbitrary Command Execution	Any OS command can execute with the privileges of the Axon Code process
Data Exfiltration	Source code, credentials, SSH keys, browser data accessible from developer workstation
Persistence	Malware, backdoors, or scheduled tasks can be installed silently
Lateral Movement	Developer machines are typically high-privilege targets in corporate environments
Supply Chain Risk	Compromised developer workstations can lead to poisoned builds and commits

Immediate Remediation

Step 1: Disable Command Auto-Approval Mode

The most critical immediate action is to disable the auto-approval feature entirely.

Step 2: Review Recently Executed Commands

Examine Axon Code's command execution history and terminal logs for any unexpected or suspicious commands that may have been auto-approved.

# Review PowerShell history for suspicious entries
Get-Content (Get-PSReadLineOption).HistorySavePath | Select-Object -Last 100
 
# Review cmd.exe history (if applicable)
doskey /history

Step 3: Audit File System for Indicators

# Check for recently created scheduled tasks
Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) }
 
# Check for recently modified startup items
Get-ItemProperty HKCU:\Software\Microsoft\Windows\CurrentVersion\Run
 
# Review recently created executables in AppData
Get-ChildItem $env:APPDATA -Recurse -Include *.exe,*.bat,*.ps1 |
  Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) }

Step 4: Apply Principle of Least Privilege

Run Axon Code and AI developer tools under a low-privilege user account rather than an administrative account. This limits the blast radius if auto-execution is abused.

Detection Indicators

Indicator	Description
Unexpected processes spawned from Axon Code	Child processes with unusual names or paths
Outbound network connections from developer workstation	Unexpected C2 or exfiltration traffic
New scheduled tasks or registry run keys	Persistence mechanisms installed post-exploitation
Modified or newly created scripts in project directories	Injected payloads within the development environment

# On Windows — monitor process creation from Axon Code parent
# Use Process Monitor (Sysinternals) filtered to Axon Code PID
# Or review Windows Security Event Log for process creation events (Event ID 4688)
wevtutil qe Security /q:"*[System[EventID=4688]]" /f:text | findstr axon

Post-Remediation Checklist

Disable command auto-approval mode immediately on all Windows Axon Code installations
Audit recent command execution logs for suspicious activity
Rotate any credentials or secrets accessible from affected developer workstations
Apply least-privilege principles to AI developer tool execution contexts
Monitor the Axon Code vendor advisory channel for an official patch
Validate all project files and dependencies for unexpected modifications
Document the incident and remediation in your vulnerability management and IR systems

CVE-2026-30303 — Axon Code OS Command Injection via Whitelist Bypass

Affected Products

Executive Summary

Vulnerability Overview

Affected Products

Technical Analysis

Root Cause

Attack Scenarios

Impact Assessment

Immediate Remediation

Step 1: Disable Command Auto-Approval Mode

Step 2: Review Recently Executed Commands

Step 3: Audit File System for Indicators

Step 4: Apply Principle of Least Privilege

Detection Indicators

Post-Remediation Checklist

References

CVE-2026-33478: AVideo CloneSite Plugin Unauthenticated RCE (CVSS 10.0)

CVE-2026-32298: Angeet ES3 KVM OS Command Injection via cfg.lua Script

CVE-2026-30304 — AI Code Safe Command Execution Bypass

CVE-2026-30303 — Axon Code OS Command Injection via Whitelist Bypass

Affected Products

Executive Summary

Vulnerability Overview

Affected Products

Technical Analysis

Root Cause

Attack Scenarios

Impact Assessment

Immediate Remediation

Step 1: Disable Command Auto-Approval Mode

Step 2: Review Recently Executed Commands

Step 3: Audit File System for Indicators

Step 4: Apply Principle of Least Privilege

Detection Indicators

Post-Remediation Checklist

References

CVE-2026-33478: AVideo CloneSite Plugin Unauthenticated RCE (CVSS 10.0)

CVE-2026-32298: Angeet ES3 KVM OS Command Injection via cfg.lua Script

CVE-2026-30304 — AI Code Safe Command Execution Bypass