Google Gemini CLI Flaws Allow Remote Code Execution on Hosts

A critical remote code execution (RCE) vulnerability affects the Google Gemini CLI and its associated GitHub Action. Carrying a maximum severity score of CVSS 10.0, the flaw allowed unprivileged external attackers to execute commands directly on host systems.

This vulnerability effectively turned automated CI/CD pipelines into potential attack vectors in the supply chain.

Unlike typical AI exploits, this did not rely on prompt injection or model manipulation.

Instead, it was an infrastructure-level exploit that triggered before the AI agents’ sandbox could even initialize.

Google Gemini CLI Vulnerabilities

The core issue was how the Gemini CLI handled workspace trust in non-interactive environments.

When operating in headless mode during a CI/CD job, the CLI automatically trusts the current workspace folder.

It loaded any agent configuration found in that directory without requiring human approval, security reviews, or sandboxing.

An attacker could easily plant a malicious configuration file in a repository’s workspace by opening a standard pull request.

The Gemini agent would silently trust this file, resulting in immediate code execution on the host machine running the workflow.

This host-level execution grants an unprivileged outsider access to whatever secrets, cloud credentials, and source code the workflow can reach.

This level of access is enough to facilitate token theft, supply-chain pivots, and lateral movement into downstream production environments.

Google has released security patches to address this critical vulnerability. Administrators must upgrade their environments immediately to prevent exploitation.

The following patched versions resolve the unauthenticated execution flaw:

• Update @google/gemini-cli to version 0.39.1 or 0.40.0-preview.3.
• Update google-github-actions/run-gemini-cli to version 0.1.22.

According to Novee Research, AI coding agents often run within development pipelines with the same execution privileges as trusted human contributors.

This deep integration means vulnerabilities in AI infrastructure pose a massive supply-chain risk.

The Gemini CLI flaw demonstrates that modern AI security must protect the entire path from the model to the application, including shell tools, repository files, and deployment workflows.

Threat actors increasingly target the development pipeline to distribute malicious payloads to downstream users at scale.

Recent notable software supply-chain incidents highlight this accelerating trend:

• A hijacked maintainer account compromised millions of axios npm package installations in March 2026.
• The Shai-Hulud worm hit hundreds of npm packages in 2025, deploying a data wiper in its v2.0 variant.
• Attackers planted an RCE backdoor in XZ Utils through OpenSSH on affected Linux systems in 2024.
• The Polyfill.io CDN hijack in 2024 forced adopted scripts to automatically download malicious code.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.