Executive Summary
A critical vulnerability (CVE-2026-30304) has been disclosed in AI Code, an AI-powered development environment. The product offers two auto-execution modes: "Execute safe commands" (where the AI model judges command safety and auto-approves those deemed safe) and "Execute all commands". Due to a fundamental flaw in the safety judgement design, the "Execute safe commands" mode can be bypassed — causing commands that should be flagged as potentially harmful to instead be automatically executed without user approval.
CVSS Score: 9.6 (Critical) CWE: CWE-693 — Protection Mechanism Failure
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-30304 |
| CVSS Score | 9.6 (Critical) |
| CWE | CWE-693 — Protection Mechanism Failure |
| Type | Safety Control Bypass leading to Arbitrary Command Execution |
| Attack Vector | Network / Local (via AI prompt or malicious content) |
| Privileges Required | None |
| User Interaction | None (in auto-execute mode) |
| Patch Available | Monitor vendor advisory for update |
Affected Products
| Product | Condition | Remediation |
|---|---|---|
| AI Code — "Execute safe commands" mode | Auto-approval based on model safety judgement enabled | Disable auto-execution; require manual approval |
| AI Code — any version with autonomous terminal access | Agentic task execution with limited oversight | Review and restrict execution permissions |
Technical Analysis
Design Flaw Description
AI Code's "Execute safe commands" mode is intended to streamline development by automatically running commands the AI model determines to be safe, while pausing for user confirmation on commands judged as potentially harmful.
The vulnerability stems from the adversarial manipulability of the model's safety judgement. The safety classification is performed by the same AI model that generates the commands — creating a scenario where:
- Prompt injection attacks can manipulate the model's judgement, causing it to classify a dangerous command as safe
- Adversarially crafted instructions in files, web content, or repository data read by the agent can override the safety assessment
- The model's safety reasoning is not independently verified before execution, creating a single point of failure
Attack Vector — Prompt Injection
An attacker can embed a prompt injection payload in any content the AI agent processes during a development task:
- A malicious README or documentation file
- A webpage fetched by the agent during research
- An API response from a third-party service the agent queries
- A crafted dependency file or configuration
The payload instructs the model to classify subsequent dangerous commands as "safe," bypassing the confirmation gate and triggering immediate auto-execution.
Impact of Bypass
Once the safety gate is bypassed, the attacker has full terminal command execution in the context of the developer's account and machine — equivalent to the "Execute all commands" mode without the user's knowledge or consent.
Impact Assessment
| Impact Area | Description |
|---|---|
| Arbitrary Code Execution | Any terminal command executes under the developer's OS account |
| Data Theft | Source code, SSH keys, API tokens, cloud credentials all accessible |
| Persistence | Backdoors, cron jobs, or registry run keys can be silently installed |
| Supply Chain Compromise | Developer workstation compromise can lead to poisoned builds or commits |
| Credential Harvesting | Browser-stored credentials, .env files, and shell history accessible |
| Lateral Movement | Developer machines often have elevated internal network access |
Immediate Remediation
Step 1: Disable "Execute Safe Commands" Auto-Approval
Switch AI Code's terminal execution mode to fully manual approval — requiring explicit confirmation for every command before execution.
- In AI Code settings, change the terminal execution policy to require user confirmation for all commands
- Do not rely on the model's safety judgement as the sole gate for auto-execution
Step 2: Restrict Agent File System Access
Limit the directories and file types the AI agent can read during tasks, reducing the attack surface for prompt injection via malicious files:
# Use project-scoped workspaces to limit agent access
# Avoid opening untrusted repositories in AI Code with auto-execution enabled
# Review any .ai-instructions, .cursorrules, or similar files before loading projectsStep 3: Audit Recent Command Execution
Review AI Code's command log and shell history for any commands that were auto-executed unexpectedly:
# Review bash/zsh history for unusual commands
history | tail -200
# Check for recently created or modified files in unexpected locations
find $HOME -newer /tmp/.audit-marker -name "*.sh" -o -name "*.py" 2>/dev/null
# Review cron jobs for unexpected entries
crontab -lStep 4: Harden the Development Environment
# Run AI development tools under a restricted user account
# Use a containerised development environment to limit blast radius
# Avoid storing long-lived credentials (API keys, SSH keys) on the same machine
# Review ~/.ssh, ~/.aws, ~/.config for unexpected access or modifications
ls -la ~/.ssh/
ls -la ~/.aws/Detection Indicators
| Indicator | Description |
|---|---|
| Commands executed without user prompt appearing | AI Code auto-executing unusual commands silently |
| Unexpected outbound network traffic | Data exfiltration or C2 callbacks from the development machine |
| New files in home directory or temp locations | Dropped payloads or scripts |
| Modified shell configuration files | .bashrc, .zshrc, or .profile altered for persistence |
| Unexpected git commits or pushes | Repository manipulation post-compromise |
# Monitor for unexpected process spawning from AI Code
# Use auditd or equivalent to log execve events
auditctl -a always,exit -F arch=b64 -S execve -k ai-exec-monitor
ausearch -k ai-exec-monitor --start today | tail -50
# Check for network connections from suspicious processes
ss -tnp | grep -v LISTENPost-Remediation Checklist
- Disable "Execute safe commands" auto-approval mode immediately
- Switch to fully manual command approval for all AI Code terminal interactions
- Audit recent AI Code session command logs for unexpected executions
- Rotate any credentials, tokens, or secrets accessible from the affected machine
- Review repository history for unexpected commits or modifications
- Harden the development environment with containerisation or privilege separation
- Monitor the AI Code vendor channel for an official security patch
- Document the vulnerability and mitigations in your secure development guidelines
Broader Context: AI IDE Security
CVE-2026-30304 and CVE-2026-30303 (Axon Code) represent an emerging class of vulnerabilities in AI-powered developer tools. As these tools gain autonomous terminal execution capabilities, the attack surface expands significantly:
- Prompt injection becomes a primary exploit vector — any content the agent reads is a potential attack surface
- Auto-execution features amplify the impact of safety bypass vulnerabilities
- Developer workstations are high-value targets with broad access to internal networks, code repositories, and cloud environments
Organisations adopting AI coding assistants should establish explicit policies around auto-execution features and apply the same security scrutiny to these tools as to any privileged development software.