Gemini CLI Flaw Allows Arbitrary Code Execution in CI/CD

Gemini CLI Flaw Allows Arbitrary Code Execution in CI/CD

Posted on By CWS

A significant security flaw has been identified in Google’s Gemini CLI, posing a threat to CI/CD environments, notably those utilizing GitHub Actions. This vulnerability, designated as CVE-2026-12537, allows unauthorized code execution.

Vulnerability Details

The issue affects @google/gemini-cli versions prior to 0.39.1 and 0.40.0-preview.3, as well as google-github-actions/run-gemini-cli versions before 0.1.22. Security experts found that the flaw stems from inadequate management of workspace trust and execution policies, potentially leading to remote code execution (RCE).

The vulnerability is particularly concerning in ‘headless’ environments like automated CI pipelines, where the Gemini CLI would automatically trust workspace folders. This default behavior meant environment variables in directories such as .gemini/.env could be loaded unchecked, opening doors for malicious exploitation.

Exploitation Risks

Once a CI workflow encounters untrusted data, such as a pull request, the Gemini CLI might execute harmful commands embedded in the repository. This scenario provides a pathway for RCE without user interaction. Additionally, the CLI’s –yolo mode previously bypassed strict tool allowlists, exacerbating risks.

Attackers exploiting this flaw could potentially execute commands directly on host systems running the pipeline, leading to severe consequences like accessing sensitive information or altering build outputs.

Mitigation and Recommendations

Google has issued patches that address these vulnerabilities by enforcing explicit workspace trust in headless modes and maintaining strict tool allowlists, even when –yolo mode is active. Users are urged to update to Gemini CLI version 0.39.1 or 0.40.0-preview.3, and run-gemini-cli version 0.1.22 or newer.

It is critical for users to examine CI/CD pipelines processing untrusted inputs and ensure the GEMINI_TRUST_WORKSPACE variable is true solely for trusted repositories. Implementing strong allowlists and minimizing command execution capabilities are also recommended.

This flaw, reported by Novee Security and Pillar Security, highlights the dangers of implicit trust within CI environments and underscores the necessity for robust validation and control measures in automated workflows.

Secure your systems by updating and reviewing your CI/CD practices to prevent potential exploitation of this critical vulnerability.

Cyber Security News Tags:, , , , , , , , ,

Related Posts

Russian Hackers Attacking Network Edge Devices in Western Critical Infrastructure Russian Hackers Attacking Network Edge Devices in Western Critical Infrastructure Cyber Security News
Linux CUPS Vulnerability Let Attackers Remote DoS and Bypass Authentication Linux CUPS Vulnerability Let Attackers Remote DoS and Bypass Authentication Cyber Security News
Critical Western Digital My Cloud NAS Vulnerability Allows Remote Code Execution Critical Western Digital My Cloud NAS Vulnerability Allows Remote Code Execution Cyber Security News
WordPress Post SMTP Plugin Vulnerability Exposes 400,000 Websites to Account Takeover Attacks WordPress Post SMTP Plugin Vulnerability Exposes 400,000 Websites to Account Takeover Attacks Cyber Security News
Qihoo 360’s SSL Key Leak: Major Security Breach Qihoo 360’s SSL Key Leak: Major Security Breach Cyber Security News
GhostLock Exploits File-Sharing to Mimic Ransomware GhostLock Exploits File-Sharing to Mimic Ransomware Cyber Security News