The issue is structural. The safety checker evaluates commands as plain text, while the shell runs them through a parser built over 40 years ago. That mismatch is what GuardFall exploits .
According to the available reporting, the following open-source agents were among those affected by GuardFall :
Because the problem is a parsing mismatch rather than a simple blocklist gap, Adversa AI and other analysts recommend a layered approach :
Adversa AI also recommends that maintainers adopt a tokenize-and-canonicalize approach for command safety checks rather than simple string matching .
GuardFall was not disclosed in isolation. June 2026 reporting documented multiple coordinated vulnerability disclosures that suggested many AI coding agents share similar structural weaknesses around trust, command execution, and workspace content .