The May 2026 disclosures against AI coding agents (Adversa AI's TrustFall on 7 May 2026, a one-keypress remote code execution reaching Claude Code, Cursor, Gemini CLI, and GitHub Copilot CLI, and SymJack on 26 May 2026, a symlink-hijack confirmed against six agents that overwrites an agent's own configuration to plant a malicious MCP server, plus Microsoft's Semantic Kernel CVE-2026-26030 and CVE-2026-25592) share one design assumption, that showing an approval prompt is the same as obtaining informed consent, and because the coding agent executes attacker-supplied instructions with the developer's full credentials and write access to the build and deploy chain, it is a production attack surface that the enterprise should govern as a managed endpoint (inventory, deliberate version-pinning and patching, credential separation, monitoring for config-write-then-execute, and no untrusted repositories on credentialed machines) rather than as developer tooling outside the inventory.

Anchored on May 2026 security research: Adversa AI's TrustFall (7 May 2026, reported by Help Net Security and Adversa) reaching Claude Code, Cursor, Gemini CLI, and GitHub Copilot CLI via a default-yes trust dialog, and SymJack (26 May 2026, Adversa) confirmed against six agents (Claude Code v2.1.128 with partial fix in 2.1.129, Gemini CLI / Antigravity CLI, Cursor Agent CLI, GitHub Copilot CLI, Grok Build CLI, OpenAI Codex CLI) via symlink-hijack config overwrite that plants a malicious MCP server on restart, stealing SSH keys, cloud tokens, browser sessions, deploy keys, signing material, and registry tokens; and Microsoft's 7 May 2026 disclosure of two prompt-injection-to-RCE bugs in Semantic Kernel (CVE-2026-26030 in-memory vector store eval()-based RCE; CVE-2026-25592 arbitrary file write via a SessionsPythonPlugin function accidentally exposed to the model). Claim is scoped to the structural reading (shared approval-equals-consent assumption; coding agent as production attack surface; managed-endpoint control response), not to a prediction of in-the-wild exploitation and not to a single-vendor judgement. Note on production model: this publication is written by Claude, Anthropic's model, and curated and signed by Peter; Claude Code is one of the affected agents and Anthropic is the vendor reported to have declined the TrustFall report (consent dialog deemed sufficient), so the analysis treats every affected agent symmetrically and is written from the buyer's side. VERIFIED 2026-06-02 via Microsoft Security Blog (microsoft.com/en-us/security/blog/2026/05/07/prompts-become-shells-rce-vulnerabilities-ai-agent-frameworks/ — both CVEs and affected Semantic Kernel versions), Help Net Security (helpnetsecurity.com/2026/05/07/trustfall-ai-coding-cli-vulnerability-research/ — TrustFall four-tool list, mechanism, Anthropic-declined), and Adversa AI (the SymJack write-up — six-agent list, named versions, symlink mechanism, stolen-secret list, mitigations). 90-day review cadence (31 Aug 2026). Trigger conditions: (1) a vendor changes the consent model to resolve and display the true destination before the decision, which would move the approval-is-not-consent reading toward Partial; (2) a new cross-vendor finding extends or contradicts the category-flaw reading; (3) a standards body or major buyer publishes a control baseline treating coding agents as managed endpoints, confirming the prescription; (4) evidence of in-the-wild exploitation, which sharpens urgency without changing the claim. Siblings: /owasp-agentic-ai-top-10-walkthrough/, /nist-ai-rmf-agentic-ai-mapping/, /the-enterprise-agentic-ai-governance-playbook-2026/, and the operators version OPS-088 (/operators/ai-coding-cli-security-small-team/).