Artificial intelligence development tools are introducing fundamentally new client-side risks, requiring the security industry to update how it monitors and protects developer environments.
During a session at the RSAC 2026 Conference in San Francisco, Oded Vanunu, chief technologist at Check Point Software, detailed how the architecture of AI coding assistants inadvertently bypasses modern endpoint defenses. The session, titled "When AI Agents Become Backdoors: The New Era of Client-Side Threat," outlined a series of vulnerabilities discovered in tools including Anthropic's Claude Code, OpenAI's Codex, Google's Gemini, and Cursor.
Vanunu and his research team spent the past year evaluating AI development tools. They found that the rapid adoption of these agents is shifting the security situation, bypassing many of the protections the cybersecurity industry has built over the past decade to secure endpoints and transition application execution to the cloud.
Understanding the endpoint visibility gap
Over the past 20 years, security teams successfully reduced client-side risk through operating system hardening, sandboxing, endpoint detection and response (EDR), and browser isolation. The transition to software-as-a-service (SaaS) effectively turned endpoints into thin clients, significantly reducing the available surface for unauthorized access.
However, AI coding assistants require deep access to local filesystems and developer configurations to function effectively. Because developers typically assign these tools high privileges and broad network access, the agents establish operational pathways that bypass traditional security boundaries. Furthermore, because these tools operate autonomously and with elevated permissions, conventional security technologies struggle to monitor their actions or distinguish routine tasks including unauthorized activity.
According and Vanunu, security products currently lack the visibility required to understand or control agentic AI behavior at the endpoint.
Compounding this visibility gap is how AI tools interpret configuration files. These agents process configuration metadata as active execution instructions. While developers are typically cautious when handling executable files, they exercise less oversight over configuration formats like.json,.env, or.toml. Malicious actors can insert seemingly benign text into configuration metadata, instructing the agent to run unauthorized commands. This dynamic allows threat actors to utilize standard configuration files rather than traditional malicious software.
Identified vulnerabilities in AI assistants
Vanunu’s team identified six specific vulnerabilities across popular AI coding platforms. The respective vendors have since patched these flaws.
In Claude Code, researchers discovered a high-severity flaw (CVE-2025-59536) that allows an unauthorized party to manipulate the tool into executing hidden code before the user accepts the startup trust dialog. This vulnerability can be used to manipulate Claude Code Hooks—user-defined shell commands designed to run automatically—thereby bypassing EDR products. Additionally, researchers demonstrated a model context protocol (MCP) consent bypass. While Claude requires user consent before executing MCP server plug-ins, Claude Code reads configurations automatically, allowing unauthorized MCP servers to run commands before the trust dialog appears.
In the OpenAI Codex CLI, the team identified a code injection vulnerability (CVE-2025-61260, CVSS score pending). This flaw allows a modified project.env file to redirect the CLI to a local.toml configuration file. The configuration then connects to unauthorized MCP servers, prompting the coding tool to execute commands immediately without human oversight.
The researchers also documented CVE-2025-54136, a high-severity remote code execution (RCE) vulnerability in the Cursor coding platform. When a developer approves an MCP server command, Cursor binds that authorization to the plug-in's name rather than the specific content hash of the approved action. This discrepancy enables a swap technique: an unauthorized party can submit a benign command for approval, then update the plug-in with unauthorized instructions once authorization is granted.
Finally, the session detailed an unassigned flaw in Google's Gemini CLI. This vulnerability allows unauthorized commands to be disguised as legitimate scripts within documentation files. If an embedded command is placed in a GEMINI.md file, the tool executes it silently without requiring user approval.
Securing the developer perimeter
While the four vendors have addressed these specific vulnerabilities, the findings illustrate new paths for unauthorized access and emphasize that developer workstations now represent a critical security perimeter.
To safely deploy AI coding assistants, Vanunu recommends organizations take immediate steps to evaluate their environments:
Conduct a comprehensive audit to identify all AI technology currently in use, actively looking for unauthorized or "shadow AI" tools.
Analyze all project metadata and configuration files for suspicious or undocumented content.
Require isolation for coding tools, ensuring that all AI-automated shell tasks execute within strict sandbox environments.
Adopt a "Configuration = Code" policy for developer workstations, treating these environments with zero-trust principles where no text is executed without explicit verification.
By applying these controls, security teams can redesign their defense strategies to support developer productivity while maintaining rigorous protection over local and cloud environments.