GhostApproval exposed a symlink trust-boundary flaw across six AI coding assistants simultaneously, and the four different vendor responses reveal something more important than the vulnerability: there is no shared security contract governing what these tools are allowed to do.
MCP's trust architecture makes any exposed management interface a pre-authenticated command shell by design, not by accident, and two RCE vulnerabilities in the same week reveal a deployment curve that has outrun both audit methodology and detection playbooks.
Five AI infrastructure disclosures in one day share the same root cause: the gap between what users believe their security settings do and what the framework actually executes.