A maximum-severity remote code execution (RCE) vulnerability in Google Gemini CLI has been disclosed by Novee Security, allowing unauthenticated external attackers to execute arbitrary commands directly on host systems, turning CI\/CD pipelines into viable supply-chain attack vectors.<\/p>\n
Google assigned the flaw a CVSS score of 10.0, the highest possible rating, underscoring the critical nature of the issue.<\/p>\n
Security researcher Elad Meged and the Novee Security team<\/a> discovered the vulnerability in both the\u00a0@google\/gemini-cli\u00a0package and the\u00a0google-github-actions\/run-gemini-cli\u00a0GitHub Action. <\/p>\n When processed by Gemini CLI in non-interactive environments, such as automated CI\/CD jobs, the tool implicitly trusts and executes this configuration resulting in remote code execution on the host system.<\/p>\n Google Gemini CLI Vulnerability<\/p>\n The vulnerability stems from Gemini CLI\u2019s handling of workspace trust in headless environments. In these scenarios, the tool automatically loads configuration files from the working directory without validation or user approval.<\/p>\n An attacker can exploit this behavior by submitting a malicious pull request containing crafted configuration files.<\/p>\n Once the CI\/CD workflow<\/a> runs, the Gemini CLI treats attacker-controlled content as trusted configuration. This triggers command execution on the host system before any sandbox protections are applied.<\/p>\n Notably, this attack does not rely on prompt injection or manipulation of AI model behavior. Instead, it operates at the infrastructure level, bypassing the AI decision-making process entirely.<\/p>\n The execution happened at the infrastructure layer, entirely bypassing the AI system\u2019s reasoning and safety mechanisms.<\/p>\n Every\u00a0google-github-actions\/run-gemini-cli\u00a0GitHub Action workflow below the patched versions was affected. Successful exploitation gave an unprivileged external attacker code execution on the CI\/CD runner, granting access to:<\/p>\n Repository source code and build artifacts<\/p>\n Secrets and credentials stored in the workflow environment<\/p>\n Cloud service tokens with downstream access<\/p>\n Lateral movement paths into connected production systems<\/p>\n Patches Released<\/p>\n Google released patches addressing the vulnerability in:<\/p>\n @google\/gemini-cli\u00a0versions\u00a00.39.1\u00a0and\u00a00.40.0-preview.3<\/p>\n google-github-actions\/run-gemini-cli\u00a0version\u00a00.1.22<\/p>\n Organizations using any earlier version of these packages in CI\/CD workflows should upgrade immediately and audit workflow logs for signs of unexpected configuration file loading or anomalous command execution.<\/p>\n This vulnerability arrives amid accelerating software supply chain attacks, including the\u00a0axios npm package hijack<\/a> (March 2026), the\u00a0Shai-Hulud self-replicating worm<\/a> (2025), the\u00a0XZ Utils backdoor<\/a> (2024), and the\u00a0Polyfill.io CDN hijack (2024).<\/p>\n AI coding agents now sit inside those same pipelines, according to Noovee Security<\/a>, holding the execution privileges of trusted contributors and reading from the same workspaces developers touch.<\/p>\n AI safety reviews probe model behavior. None of these tools evaluate how all layers, prompts, files, configuration, CI\/CD runners, cloud credentials, and host environments interact when an external attacker actively manipulates inputs.<\/p>\n Security teams should treat AI agents running in CI\/CD pipelines\u00a0as privileged infrastructure components, subject to the same scrutiny as any other trusted build system. <\/p>\n Follow us on\u00a0Google News<\/a>\u00a0,\u00a0LinkedIn<\/a>\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates.\u00a0Set Cyberpress as a Preferred Source in\u00a0Google<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"A maximum-severity remote code execution (RCE) vulnerability in Google Gemini CLI has been disclosed by Novee Security, allowing…\n","protected":false},"author":2,"featured_media":23112,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[9644,2408,132,1430,10718],"class_list":{"0":"post-23111","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-google","8":"tag-cyber-security-news","9":"tag-gemini","10":"tag-google","11":"tag-google-gemini","12":"tag-vulnerability"},"_links":{"self":[{"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/posts\/23111","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/comments?post=23111"}],"version-history":[{"count":0,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/posts\/23111\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/media\/23112"}],"wp:attachment":[{"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/media?parent=23111"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/categories?post=23111"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/tags?post=23111"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}