Critical Google Gemini CLI Vulnerabilities Let Attackers Run Commands
Key Takeaways A critical remote code execution (RCE) vulnerability, rated CVSS 10.0, was discovered in Google’s Gemini CLI and its associated GitHub Action. The flaw allowed unauthenticated...
Key Takeaways
- A critical remote code execution (RCE) vulnerability, rated CVSS 10.0, was discovered in Google’s Gemini CLI and its associated GitHub Action.
- The flaw allowed unauthenticated attackers to execute arbitrary commands on host systems by exploiting how the CLI handled workspace trust in automated CI/CD environments.
- This vulnerability bypassed traditional AI security measures like sandboxing and prompt injection defenses, affecting the underlying infrastructure.
- Patches are available: Update
@google/gemini-clito version0.39.1or0.40.0-preview.3, andgoogle-github-actions/run-gemini-clito version0.1.22.
Critical Flaw in Google Gemini CLI Poses Supply Chain Threat
A severe remote code execution (RCE) vulnerability, scoring a maximum CVSS of 10.0, has been identified in the Google Gemini command-line interface (CLI) and its corresponding GitHub Action. This critical flaw enabled unauthorized external attackers to execute commands directly on host systems, effectively transforming automated CI/CD pipelines into potential vectors for supply chain attacks.
Table Of Content
Notably, this exploit did not leverage common AI attack methods such as prompt injection or model manipulation. Instead, it was an infrastructure-level vulnerability that activated before the AI agents’ sandboxing mechanisms could even initialize, demonstrating a deeper architectural weakness.
Unpacking the Gemini CLI Vulnerability
The core of the issue resided in how the Gemini CLI managed workspace trust within non-interactive settings. When operating in a headless mode, typical for CI/CD jobs, the CLI automatically trusted the current workspace folder. This behavior meant it would load any agent configuration found in that directory without requiring human intervention, security reviews, or sandboxing.
An attacker could exploit this by introducing a malicious configuration file into a repository’s workspace, for instance, via a standard pull request. The Gemini agent would then implicitly trust and execute this file, leading to immediate code execution on the host machine running the workflow. Such host-level access grants an unprivileged outsider the ability to access sensitive data, including secrets, cloud credentials, and source code available to the workflow. This level of compromise is sufficient to facilitate token theft, enable supply-chain pivots, and allow lateral movement into downstream production environments.
Google Releases Patches
Google has promptly released security patches to mitigate this critical vulnerability. System administrators are urged to upgrade their environments without delay to prevent potential exploitation. The following patched versions address the unauthenticated execution flaw:
- Update
@google/gemini-clito version0.39.1or0.40.0-preview.3. - Update
google-github-actions/run-gemini-clito version0.1.22.
According to Novee Research, AI coding agents frequently operate within development pipelines, often with the same execution privileges as trusted human contributors. This deep integration means that vulnerabilities within AI infrastructure present a significant supply-chain risk. The Gemini CLI flaw underscores that modern AI security must encompass the entire path from the model to the application, including shell tools, repository files, and deployment workflows.
Threat actors are increasingly targeting development pipelines to distribute malicious payloads at scale to downstream users. Recent notable software supply-chain incidents highlight this accelerating trend, including:
- The compromise of millions of
axiosnpm package installations in March 2026 due to a hijacked maintainer account. - The Shai-Hulud worm impacting hundreds of npm packages in 2025, deploying a data wiper in its v2.0 variant.
- The discovery of an RCE backdoor in XZ Utils through OpenSSH on affected Linux systems in 2024.
- The Polyfill.io CDN hijack in 2024, which forced adopted scripts to automatically download malicious code.
What You Should Do
- Immediately update
@google/gemini-clito version0.39.1or0.40.0-preview.3. - Immediately update
google-github-actions/run-gemini-clito version0.1.22. - Review CI/CD pipeline configurations to ensure that automated workflows do not implicitly trust external or untrusted input.
- Implement robust approval processes for pull requests, especially those that modify configuration files impacting build or deployment processes.
- Regularly audit dependencies and integrated tools in your development pipeline for known vulnerabilities.
- Consider segmenting build environments and using least-privilege principles for service accounts running CI/CD jobs.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.