
CVE-2026-39861: Anthropic/OpenAI AI Agents — Arbitrary Code Execution Risk (July 2026)
CVE-2026-39861 — Anthropic/OpenAI AI Coding Agents
CVE-2026-39861 is a high-severity vulnerability affecting Anthropic's Claude Code and OpenAI's Codex AI agents. The flaw enables attackers to achieve arbitrary code execution on host systems when these agents operate in autonomous command approval modes. There is no evidence of active exploitation, but the attack bypasses core trust and sandboxing controls in AI-assisted code review workflows.
Attack Vector
Researchers demonstrated the "Friendly Fire" attack by embedding a malicious binary, disguised as a compiled Go file, within an open-source repository. When an AI security agent scans this repository in autonomous mode, it is tricked into executing the payload—often triggered via a security.sh script referenced in the README. The attack leverages the agent's intended functionality for scanning untrusted third-party code, exploiting insufficient isolation and trust validation mechanisms. No user warning or explicit approval is required for execution, making the attack stealthy and difficult to detect in real time.
Who Is at Risk
Anthropic Claude Code and OpenAI Codex users are directly affected, specifically when these tools are deployed in autonomous or automated command approval modes. Organizations integrating these AI agents into CI/CD pipelines or automated security testing environments are at heightened risk. Both vendors are impacted globally, with no current evidence of exploitation outside controlled research settings.
Patch & Mitigate
- Patch: No official patch or hotfix is available as of July 2026. Monitor vendor advisories for updates.
- Workaround: Disable autonomous command approval modes in AI coding agents. Restrict scanning of untrusted third-party code and enforce manual review for all code execution steps.
- Detect: Audit logs for unexpected execution of binaries or scripts (e.g., security.sh) initiated by AI agents. Monitor for anomalous process launches during code scanning operations.
MITRE ATT&CK
- TA0001 — Initial Access: Attackers introduce malicious code via open-source repositories to gain initial execution.
- TA0002 — Execution: The AI agent executes attacker-supplied binaries/scripts without user intervention, enabling code execution on the host.
Source: https://thehackernews.com/2026/07/friendly-fire-ai-agents-built-to-catch.html
Start Your 14-Day Free Trial
Get curated cyber intelligence delivered to your inbox every morning at 6 AM. No credit card required.
Get Started Free

