CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Antigravity IDE prompt injection flaw leads to sandbox escape and RCE in Google’s agentic development environment

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A critical prompt injection vulnerability in Google’s agentic integrated developer environment (IDE) Antigravity allowed attackers to achieve remote code execution (RCE) and sandbox escape via a proof-of-concept (PoC) attack. The flaw, discovered by Pillar Security, exploited insufficient input sanitization in the IDE’s file-search tool (find_by_name) to inject command-line flags into the underlying fd utility, converting a legitimate search into arbitrary code execution. The attack bypassed Antigravity’s Secure Mode—designed to restrict network access, prevent out-of-workspace writes, and enforce sandboxed command execution—because the vulnerable tool call was executed before security controls were enforced. Google patched the flaw in February 2026 after receiving a report in January 2026. The vulnerability highlights persistent risks in agentic IDEs, where tool-execution primitives with insufficient input validation can be weaponized through prompt injection, enabling full system compromise without additional user interaction.

Timeline

  1. 21.04.2026 13:52 1 articles · 5h ago

    Antigravity IDE prompt injection flaw patched by Google after Pillar Security reports sandbox escape and RCE risk

    Pillar Security discovered and reported a critical prompt injection flaw in Google’s agentic IDE Antigravity in January 2026 that enabled sandbox escape and remote code execution (RCE) via a tool-execution primitive (find_by_name) with insufficient input sanitization. The vulnerability allowed attackers to inject command-line flags into the fd utility, converting a file search operation into arbitrary code execution. The attack bypassed Antigravity’s Secure Mode because the vulnerable tool call executed before security controls were enforced. Google patched the issue in February 2026, after which Pillar Security was awarded a bug bounty for the disclosure.

    Show sources
    Open in new tab

Information Snippets

  • Antigravity’s find_by_name tool’s Pattern parameter was vulnerable to command-line flag injection due to insufficient input sanitization, allowing the fd utility to execute arbitrary commands.

    First reported: 21.04.2026 13:52
    1 source, 1 article
    Show sources

  • The flaw enabled a full attack chain: an attacker could stage a malicious script via a prompt injection, then trigger it through a seemingly legitimate file search, achieving RCE without further user interaction.

    First reported: 21.04.2026 13:52
    1 source, 1 article
    Show sources

  • Antigravity’s Secure Mode, intended to restrict network access, prevent out-of-workspace writes, and enforce sandboxed command execution, was bypassed because the vulnerable tool call executed before these security controls were evaluated.

    First reported: 21.04.2026 13:52
    1 source, 1 article
    Show sources

  • Google patched the vulnerability in February 2026, shortly after receiving Pillar Security’s report in January 2026. Pillar Security received a bug bounty for the disclosure, though the amount was not disclosed.

    First reported: 21.04.2026 13:52
    1 source, 1 article
    Show sources

  • Similar prompt injection flaws have been identified in other AI-based IDEs, such as Cursor (CVE-2026-22708), and non-AI IDEs like AngularJS, indicating a recurring pattern in tool-execution primitives with inadequate input validation.

    First reported: 21.04.2026 13:52
    1 source, 1 article
    Show sources