Your development team's AI coding assistant can read every file on a developer's machine, execute terminal commands, make network requests, and in many cases connect to external services through plugins and integrations. It operates with the full privileges of the developer who runs it.

That level of access would raise eyebrows in any security review if it were a new employee or a third-party contractor. But because these tools are productivity software—used daily by over 90 percent of engineering organizations—their security implications often go unexamined.

That's starting to change, and not because of hypothetical risks. In the past year, security researchers have disclosed critical vulnerabilities in every major AI coding agent on the market. The attack techniques are sophisticated, the access they grant is extensive, and the window between disclosure and exploitation is shrinking.

Here's what business leaders and IT teams should understand about the security risks these tools introduce.

What AI Coding Agents Actually Do

To understand the risk, it helps to understand what these tools are—and what they aren't.

AI coding assistants like GitHub Copilot, Cursor, Claude Code, Windsurf, and Codex CLI are not simply autocomplete tools anymore. The latest generation operates as agents—autonomous systems that can read and write files, run shell commands, browse the web, interact with APIs, and connect to external services through protocols like the Model Context Protocol (MCP).

When a developer opens a project in one of these tools, the agent typically has access to:

  • The entire local filesystem — including source code, configuration files, environment variables, SSH keys, and API credentials
  • A terminal with developer-level privileges — capable of running any command the developer could run manually
  • Network access — including the ability to make HTTP requests, resolve DNS queries, and communicate with external servers
  • Connected services via MCP — databases, Slack workspaces, GitHub repositories, cloud infrastructure, and more

This is by design. The productivity gains come from giving the AI enough access to do meaningful work. But that same access creates an attack surface that didn't exist before these tools became standard development infrastructure.

Real Vulnerabilities, Real Consequences

The past year has seen a steady stream of critical security disclosures affecting every major AI coding agent. These aren't theoretical—they're documented CVEs with proof-of-concept exploits and, in several cases, evidence of real-world impact.

Claude Code: Data Exfiltration via DNS

CVE-2025-55284 (CVSS 7.1 — High). Discovered by security researcher Johann Rehberger of Embrace The Red, this vulnerability demonstrated that an attacker could embed malicious instructions in source code that, when analyzed by Claude Code, would trigger DNS-based data exfiltration—without the developer ever approving a suspicious command.

The exploit worked because Claude Code's allowlist of "safe" commands included network utilities like ping, nslookup, dig, and host. An attacker could craft a prompt injection in a code comment or documentation file that instructed the AI to read sensitive files (like .env or SSH keys) and encode the contents in DNS queries to an attacker-controlled domain. The developer would see nothing unusual.

Anthropic patched this in Claude Code version 1.0.4 by removing these utilities from the auto-approved command list.

Claude Code: Remote Code Execution and API Key Theft

The DNS vulnerability was only the beginning. Check Point Research subsequently discovered two more flaws:

  • CVE-2025-59536 (CVSS 8.7) — A code injection vulnerability that allowed execution of arbitrary shell commands when a developer simply opened Claude Code in a directory containing a malicious project file. No user interaction beyond starting the tool was required. Fixed in version 1.0.111 (August 2025).
  • CVE-2026-21852 (CVSS 5.3) — An information disclosure vulnerability that could exfiltrate sensitive data, including Anthropic API keys, through Claude Code's project-load flow. A developer cloning and opening a malicious repository would unknowingly leak their credentials. Fixed in version 2.0.65 (December 2025).

Cursor: Remote Code Execution via MCP

CVE-2025-54135 (CVSS 8.6), dubbed "CurXecute," was discovered by researchers at AIM Security. The vulnerability exploited how Cursor handled Model Context Protocol server configurations. An attacker who controlled a connected MCP server—or who could inject content into one, such as through a crafted Slack message—could rewrite Cursor's local MCP configuration file and execute arbitrary commands on the developer's machine.

The attack chain was particularly alarming: a malicious message in a Slack channel, when summarized by Cursor's AI through a Slack MCP integration, could achieve full remote code execution on the developer's workstation within minutes. Cursor runs with full developer privileges, meaning the attacker inherits those privileges entirely.

A related vulnerability, CVE-2025-54136 ("MCPoison"), discovered by Check Point Research, exploited a similar flaw in how Cursor processes MCP server tool definitions, enabling attackers to inject malicious instructions invisible to the developer but interpreted by the AI.

Cursor patched both issues in version 1.3, adding mandatory approval prompts for any MCP configuration changes.

Windsurf: Persistent Memory Poisoning

Perhaps the most unsettling vulnerability involves Windsurf (formerly Codeium), where researcher Johann Rehberger demonstrated what he called the "SpAIware" exploit. An attacker could embed prompt injection payloads in source code that, when analyzed by Windsurf's Cascade agent, would silently write malicious instructions into the tool's long-term memory system.

Unlike other attacks that require repeated exploitation, this one persists. Once the malicious instruction is stored in memory, it executes automatically in every future session—potentially exfiltrating source code, environment variables, and other sensitive data continuously over weeks or months. The developer has no indication that their tool's memory has been compromised.

From the AI model's perspective, there is no difference between a legitimate system instruction and a memory entry planted by an attacker. Both are simply text in the prompt window. This is a fundamental architectural limitation that has no easy fix.

MCP Infrastructure: Systemic Risk

The vulnerabilities above share a common thread: the Model Context Protocol. MCP has rapidly become the standard way AI coding agents connect to external tools and data sources. But three critical vulnerabilities in Anthropic's own Git MCP server (CVE-2025-68145, CVE-2025-68143, CVE-2025-68144) demonstrated that even first-party MCP implementations can enable remote code execution via prompt injection, path validation bypasses, and argument injection.

The MCP ecosystem is growing rapidly—with thousands of servers now available—but security review has not kept pace. Palo Alto Networks' Unit 42 research team identified three critical attack patterns through MCP: resource theft (draining AI compute quotas), conversation hijacking (injecting persistent instructions that manipulate AI responses), and covert tool invocation (performing unauthorized file operations without user awareness).

Perhaps most concerning is what researchers call the "rug pull"—where an MCP server that initially behaves legitimately later updates its tool definitions to include malicious instructions. Because tool definitions load dynamically, the attack surface changes over time even if the initial setup was reviewed and approved.

It's Not Just These Three: The IDEsaster Disclosure

If the vulnerabilities above seem limited to a few products, consider the IDEsaster disclosure. Security researcher Ari Marzouk spent six months testing AI coding tools and discovered over 30 vulnerabilities—24 of which received CVE assignments. His conclusion: 100 percent of tested AI IDEs and coding assistants were vulnerable to prompt injection attacks that could escalate to arbitrary code execution.

The affected products span the market: GitHub Copilot, Cursor, Windsurf, Kiro, Zed, Roo Code, JetBrains Junie, and Cline. AWS issued security advisory AWS-2025-019 addressing prompt injection issues in Amazon Q Developer and Kiro. The attack pattern is consistent across all of them: prompt injection leads to tool misuse, which exploits base IDE features—file system access, terminal execution, network connectivity—to achieve full compromise.

Separate disclosures revealed similar flaws in other tools. OpenAI's Codex CLI (CVE-2025-61260) allowed a malicious repository's configuration file to execute arbitrary commands—including reverse shells—the moment a developer ran codex in the cloned directory. Google's Gemini CLI was similarly vulnerable, with embedded instructions in README.md files triggering silent code execution, classified as P1/S1 severity by Google's vulnerability program.

Slopsquatting: When AI Hallucinates Your Dependencies

Beyond direct exploitation, a subtler supply chain attack has emerged: slopsquatting. AI coding tools recommend non-existent software packages in approximately 20 percent of cases. Attackers monitor these hallucinated package names and register them on repositories like npm and PyPI with malicious code. When the next developer follows the same AI-generated suggestion, they install the attacker's package instead.

The problem is worse than random chance—researchers found that 43 percent of hallucinated package names recur across multiple runs, making them predictable targets. Between July 2025 and January 2026, 128 phantom packages accumulated over 121,000 downloads before detection.

Why This Is Different from Traditional Software Vulnerabilities

It's tempting to view these as ordinary software bugs—vulnerabilities that get patched and move on. But there are structural reasons why AI coding agents present a fundamentally different kind of security challenge.

The Attack Surface Is the Feature

Traditional software vulnerabilities typically result from implementation errors—buffer overflows, missing input validation, incorrect access controls. AI coding agent vulnerabilities often result from the tools working exactly as designed. The ability to read files, execute commands, and interact with external services is the product. Every capability that makes these tools useful also makes them exploitable. Understanding and managing your attack surface has always been important—but when AI agents operate with broad system access, the surface area expands significantly.

Prompt Injection Has No Architectural Fix

SQL injection was effectively solved through prepared statements—a clean separation between instructions and data. No equivalent solution exists for large language models. LLMs process instructions and data in the same way: as text in a context window. This means that any untrusted content an AI agent encounters—a code comment, a commit message, a Slack notification, a web page, an MCP tool response—can potentially redirect the agent's behavior.

The OWASP Top 10 for LLM Applications lists Prompt Injection as the number one risk (LLM01), and it's maintained that position since the list's inception. In December 2025, OWASP published a separate Top 10 specifically for Agentic Applications, with "Agent Goal Hijacking" as the top risk—acknowledging that autonomous AI tools present a categorically different threat model. Nearly 100 academic papers on arXiv address prompt injection in agentic AI as of February 2026, and no paper claims to have fully solved it. UC Berkeley's Dawn Song, one of the leading researchers in this space, has stated plainly: "We don't really have a silver-bullet defense right now."

Scale Amplifies Everything

According to the 2025 DORA report and independent analyses from DX, approximately 91 percent of engineering organizations have adopted at least one AI coding tool. The 2025 Stack Overflow Developer Survey found that 84 percent of developers use or plan to use AI in their development process. An estimated 41 percent of all code written in 2025 was AI-generated.

This means vulnerabilities in coding agents don't affect isolated users—they affect nearly the entire software development workforce. A single exploitable flaw in a widely-used tool creates exposure across thousands of organizations simultaneously.

What This Means for Your Business

Even if your organization doesn't employ software developers, this affects you. The software you rely on—from your CRM to your accounting platform—is increasingly being built with AI coding agents. Your vendors' developers face these same risks, amplifying third-party vendor risk. And if your organization does any custom development, internal tooling, or vibe coding, the risks are direct.

The readiness gap is significant. A recent survey found that 48 percent of cybersecurity professionals identify agentic AI as the number one attack vector heading into 2026—yet only 34 percent of enterprises have AI-specific security controls in place, and just 29 percent report being prepared to secure agentic AI deployments.

Treat Coding Agents as Privileged Access

AI coding agents have the same access as the developers who run them—and often more, since they can process information faster and may be connected to additional services via MCP. Organizations should inventory which coding agents are in use, what permissions they have, and what external services they connect to. This is a shadow AI problem: if you don't know which tools your developers are using, you can't assess the risk.

Establish MCP Governance

The Model Context Protocol is powerful, but every MCP server connection is a potential attack vector. Organizations should maintain an approved list of MCP servers, review tool definitions before deployment, and treat any MCP server that connects to sensitive systems (databases, cloud infrastructure, communication platforms) with the same rigor as a production API integration.

Keep Tools Updated

Every vulnerability described in this article has been patched. But patches only protect organizations that apply them. AI coding tools often update automatically, but enterprise deployments may pin versions or delay updates. Verify that your team is running current versions—Claude Code prior to 2.0.65, Cursor prior to 1.3.9, and Windsurf versions before their latest security updates all carry known exploitable vulnerabilities.

Restrict Agent Capabilities Where Possible

Most coding agents offer configuration options that limit what the tool can do without explicit approval. Review auto-run settings, auto-approve lists, and MCP auto-start configurations. The default settings for most tools prioritize convenience over security—adjust them based on your organization's risk tolerance.

Don't Trust Agent-Generated Credentials

As we detailed in our piece on why AI-generated passwords aren't secure, coding agents that generate passwords, API keys, or other secrets produce outputs with dramatically less entropy than dedicated cryptographic tools. Ensure that any credential generation in your development pipeline uses openssl rand or an equivalent CSPRNG—not the LLM's token predictor.

Audit for Leaked Credentials

The combination of broad file system access and network connectivity means that coding agent vulnerabilities can leak credentials that were never intended to leave the developer's machine. Regularly rotate API keys, database credentials, and access tokens—especially if your team has used AI coding tools to work with repositories containing sensitive configuration files. Having an incident response plan that accounts for AI-related credential exposure is increasingly important.

Include Coding Agents in Your AI Usage Policy

Your organization's AI usage policy should explicitly cover development tools—not just chatbots and productivity assistants. Define which tools are approved, which MCP integrations are permitted, and what security review is required before connecting an AI agent to sensitive systems.

The Bigger Picture

AI coding agents are not going away. They deliver genuine productivity improvements, and their capabilities are advancing rapidly. The organizations that benefit most will be those that adopt these tools with clear-eyed awareness of the risks—not those that avoid them entirely or adopt them without guardrails.

The security challenges are real but manageable. They require the same discipline that organizations already apply to other privileged tools: access controls, update management, monitoring, and clear policies. What's different is the pace of change. New capabilities, new integrations, and new attack techniques are emerging monthly.

Staying informed is part of staying secure. We've covered related developments in our analyses of Claude Code Security's vulnerability scanning capabilities, the security risks of vibe coding, and AI-powered cyber threats facing Canadian SMBs. As this landscape evolves, understanding both the opportunities and the risks will remain essential.

This article is intended for informational purposes only and does not constitute professional security, legal, or compliance advice. Organizations should consult with qualified cybersecurity professionals to assess their specific circumstances and develop appropriate protective measures.