A severe vulnerability in Google Gemini’s command-line interface (CLI) and its associated GitHub Action has been identified, allowing attackers to execute commands remotely on host systems. This flaw, which was rated with the highest severity score of CVSS 10.0, enables unprivileged external attackers to manipulate systems through this security gap.
Understanding the Gemini CLI Vulnerability
The vulnerability in the Google Gemini CLI transforms automated CI/CD pipelines into potential attack vectors in the software supply chain. Unlike typical AI vulnerabilities that involve prompt injection or model tampering, this exploit operates at the infrastructure level, activating before the AI agents’ sandbox environment initializes.
The problem stems from the manner in which the Gemini CLI manages workspace trust in non-interactive settings. When functioning in headless mode during CI/CD operations, the CLI automatically trusts the workspace folder, loading any agent settings found there without requiring user consent or security evaluations.
Implications of the Security Flaw
This automatic trust mechanism poses a significant risk. An attacker can introduce a harmful configuration file into a repository’s workspace simply by submitting a pull request. The Gemini agent will then trust this file, leading to immediate execution of arbitrary code on the machine running the workflow.
Such host-level execution grants attackers access to sensitive data, including secrets, cloud credentials, and source code, potentially facilitating token theft and unauthorized movements within production environments. This emphasizes the urgency for administrators to apply the latest security patches provided by Google.
Response and Mitigation Strategies
Google has released critical patches to mitigate this vulnerability. Organizations must update to versions 0.39.1 or 0.40.0-preview.3 of the @google/gemini-cli and 0.1.22 of the google-github-actions/run-gemini-cli to secure their systems.
Novee Research highlights the inherent risks posed by AI coding agents operating with the same privileges as trusted human developers. This integration means that vulnerabilities within AI infrastructure can pose significant supply-chain threats.
Recent high-profile software supply-chain attacks underscore this growing trend. Notable incidents include the compromise of millions of axios npm installations in 2026, the Shai-Hulud worm attacking npm packages in 2025, and the RCE backdoor in XZ Utils discovered in 2024.
For ongoing cybersecurity updates, follow our coverage on Google News, LinkedIn, and X. Connect with us to share your cybersecurity stories.
