Gemini CLI workspace trust RCE flaw
Vulnerability
Summary
Hide ▲
Show ▼
Google has fixed Gemini CLI and google-github-actions/run-gemini-cli flaws that let untrusted workspace content trigger arbitrary commands on the host in CI/headless workflows. The issue carried CVSS 10.0, had no CVE identifier, and affected version ranges of the CLI and GitHub Actions workflow. The update now requires folders to be explicitly trusted, reducing the risk that a malicious .gemini/ configuration can bypass sandboxing and reach remote code execution.
Related Happenings
Google API keys Gemini single-service privilege escalation privilege-escalation flaw
Vulnerability
First: 26.02.2026 22:55
Last: 26.02.2026 22:55
Sources 1
About this happening:
**Google API keys** exposed in public code became a **Gemini authentication weakness**, allowing copied keys to reach **private data** and incur **API charges** on victim accounts...
Google API keys Gemini single-service privilege escalation privilege-escalation flaw
VulnerabilityAbout this happening: **Google API keys** exposed in public code became a **Gemini authentication weakness**, allowing copied keys to reach **private data** and incur **API charges** on victim accounts...
Gemini Enterprise zero-click indirect prompt injection security flaw
Vulnerability
First: 10.12.2025 14:05
Last: 10.12.2025 14:05
Sources 1
About this happening:
**Google Gemini Enterprise** and **Vertex AI Search** were patched after researchers found a **zero-click indirect prompt injection** flaw that could **exfiltrate sensitive corpor...
Gemini Enterprise zero-click indirect prompt injection security flaw
VulnerabilityAbout this happening: **Google Gemini Enterprise** and **Vertex AI Search** were patched after researchers found a **zero-click indirect prompt injection** flaw that could **exfiltrate sensitive corpor...
Google Gemini prompt injection and exfiltration flaws (multiple vulnerabilities)
Vulnerability
First: 30.09.2025 13:20
Last: 30.09.2025 13:20
Sources 1
About this happening:
**Google Gemini** vulnerability disclosure: **Tenable** identified the **Gemini Trifecta** across **Gemini Cloud Assist**, the **Search Personalization Model**, and the **Gemini B...
Google Gemini prompt injection and exfiltration flaws (multiple vulnerabilities)
VulnerabilityAbout this happening: **Google Gemini** vulnerability disclosure: **Tenable** identified the **Gemini Trifecta** across **Gemini Cloud Assist**, the **Search Personalization Model**, and the **Gemini B...
Timeline
-
30.04.2026 10:07 2 articles · 27d ago
Google patches Gemini CLI workspace-trust RCE flaw
Mitigation Patch UpdateGoogle patched a maximum-severity Gemini CLI flaw in the @google/gemini-cli npm package and the google-github-actions/run-gemini-cli GitHub Actions workflow that let an unprivileged external attacker force malicious content to load as Gemini configuration and execute arbitrary commands on host systems. The affected versions were @google/gemini-cli < 0.39.1, @google/gemini-cli < 0.40.0-preview.3, and google-github-actions/run-gemini-cli < 0.1.22; the update now requires folders to be explicitly trusted before configuration files can be accessed, and CI workflows handling untrusted inputs may also need trust settings and tool allowlist changes for --yolo mode.
Show sources
- Google Fixes CVSS 10 Gemini CLI CI RCE and Cursor Flaws Enable Code Execution — thehackernews.com — 30.04.2026 10:07
- Google Fixes CVSS 10 Gemini CLI CI RCE and Cursor Flaws Enable Code Execution — thehackernews.com — 30.04.2026 10:07