TrustFall CVE — KCP passive data¶
May 8, 2026 · LinkedIn
9 reactions · 0 comments · 483 views
Adversa AI disclosed TrustFall yesterday, and it deserves more attention than it is getting.
The vulnerability: a .mcp.json file in a cloned repository silently spawns MCP servers the moment a developer clicks "trust this folder." Claude Code, Gemini CLI, Cursor, GitHub Copilot — all affected. This is the third Anthropic CVE in six months with the same root cause.
The problem is not a bug. It is a category error baked into the architecture. "Reading project configuration" and "spawning processes with user privileges" are gated by a single consent mechanism. Those two things are not the same risk, and they should not share the same gate.
This is part of why KCP manifests are designed as passive data. YAML only. No binary references. No process invocation. The worst a malicious knowledge.yaml can do is mislead an agent with inaccurate metadata — not escalate privileges. The CLAUDE.md bootstrapping pattern I use is plain text telling Claude Code to read a file. That is TrustFall-safe by construction, not by accident.
The architecture I keep coming back to: KCP belongs in repositories, the way READMEs do. MCP belongs in user-level config, the way sudo does. Mixing those layers is where the risk lives.
Is the industry moving toward that separation, or are we going to keep patching the same category error?
Blog posts:
https://lnkd.in/dzZab9Zf
https://lnkd.in/d-RqGGxG