Critical Gemini CLI Flaw Enables Remote Code Execution

Google has patched a critical security flaw in the Gemini CLI that could allow attackers to execute remote code within certain automated workflows.

The issue affects the npm package @google/gemini-cli and the google-github-actions/run-gemini-cli GitHub Action, especially when they are used in headless environments such as CI/CD pipelines.

According to the security advisory, the vulnerability comes from two related weaknesses: unsafe workspace trust handling and a bypass of tool allowlisting under –yolo mode.

Together, these flaws could expose systems that process untrusted content, such as pull requests or issue submissions from external users.

Gemini CLI RCE Vulnerability

The first problem involves folder trust in headless mode. In earlier versions, Gemini CLI automatically trusted the current workspace when running in non-interactive environments.

That meant the tool could load local configuration files and environment variables from the .gemini/ directory without explicit approval.

If an attacker placed malicious content in that directory, the CLI could process it and potentially execute harmful commands.

In practice, this created a path to remote code execution in CI workflows that handled untrusted repositories.

The second issue affects tool allowlisting under –yolo mode. Previous releases did not properly enforce fine-grained tool restrictions defined in ~/.gemini/settings.json when –yolo was enabled.

For example, if a workflow allowed run_shell_command, the policy could become too broad and permit dangerous commands instead of only approved ones.

In environments that process untrusted prompts or user-controlled text, this weakness could be abused through prompt injection to trigger command execution.

The advisory says the impact is limited to Gemini CLI deployments in headless mode, but that still includes many GitHub Actions workflows.

Google warns that all users should review how Gemini CLI is configured in automation pipelines, especially where external contributors can influence files, prompts, or environment settings.

Patched versions are now available. Users should upgrade @google/gemini-cli to or.

The run-gemini-cli GitHub Action is patched in version. Workflows that pin older Gemini CLI versions should be updated immediately.

Google also introduced a breaking security change. Headless mode will no longer automatically trust workspace folders.

Organizations using trusted inputs must explicitly set GEMINI_TRUST_WORKSPACE: ‘true’.

For workflows that process untrusted content, Google recommends following its hardening guidance and carefully reviewing allowed tools and command execution settings.

The flaw was reported by Elad Meged (Novee Security) and Dan Lisichkin (Pillar Security) through Google’s Vulnerability Rewards Program.

The case highlights a growing risk in AI-powered developer tools: when automation, prompt handling, and shell access meet untrusted input, small policy gaps can quickly become critical attack paths.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.