Google Fixes Critical RCE Flaw in AI-Based Antigravity Tool

VULNERABILITIES & THREATS CYBERATTACKS & DATA BREACHES CYBER RISK APPLICATION SECURITY NEWS Google Fixes Critical RCE Flaw in AI-Based Antigravity Tool The prompt injection vulnerability in the agentic AI product for filesystem operations was a sanitization issue that allowed for sandbox escape and arbitrary code execution. Elizabeth Montalbano,Contributing Writer April 21, 2026 4 Min Read SOURCE: NICO EL NINO VIA ALAMY STOCK PHOTO Google has fixed a critical flaw in its agentic integrated developer environment (IDE) Antigravity that led to sandbox escape and remote code execution (RCE) after researchers created a proof of concept (PoC) prompt injection attack exploiting it.  Prompt injection issues are becoming a major thorn in the side of artificial intelligence (AI) tools, although, in this case, the vulnerability seems to be more of a common problem with IDEs in general rather than an AI-specific one. IDEs are a package of basic tools and capabilities that developers need to program, edit, and test software code; Antigravity is an agentic IDE that provides developers with native tools for filesystem operations. Researchers at Pillar Security uncovered a critical flaw in Antigravity's tool-execution model that allows attackers to escalate a seemingly benign prompt injection into full system compromise, according to a blog post published this week. The issue centers on how the IDE handles internal tool calls — specifically, a file-search capability that executes before security controls are enforced.  Related:Every Old Vulnerability Is Now an AI Vulnerability The flaw affects the find_by_name tool's Pattern parameter, allowing attackers to exploit insufficient input sanitization and for injection of command-line flags into the underlying fd utility, according to the post. This basically converts a file search operation into arbitrary code execution. 'Full Attack Chain' Ultimately, combined with Antigravity's ability to create files as a permitted action, the result is "a full attack chain: stage a malicious script, then trigger it through a seemingly legitimate search, all without additional user interaction once the prompt injection lands," Pillar Security's Dan Lisichkin wrote in the post. The vulnerability is dangerous because it bypasses Antigravity's Secure Mode, the product's most restrictive security configuration.  "Secure Mode is designed to restrict network access, prevent out-of-workspace writes, and ensure all command operations run strictly under a sandbox context," Lisichkin wrote. "None of these controls prevent exploitation, because the find_by_name tool call fires before any of these restrictions are evaluated." That means that the agent treats the call as a native tool invocation, not a shell command, so it never reaches the security boundary that Secure Mode enforces, he said. "This means an attacker achieves arbitrary code execution under the exact configuration a security-conscious user would rely on to prevent it," Lisichkin wrote. Related:NIST Revamps CVE Framework to Focus on High-Impact Vulnerabilities Google had not responded to a Dark Reading request for comment as of this posting. Prompt Injection Poses Danger Prompt injection flaws are becoming some of the most common vulnerabilities found in agentic AI tools, whether they be IDEs or chatbots. Security researchers have found this issue in other AI tools as well, including ChatGPT's Atlas browser and Google Gemini AI chatbot. However, in this case, it seems the flaw may be more of an IDE issue than one that's related to Gravity being an AI-based tool, says Fredrik Almroth, co-founder & security researcher at application security testing firm Detectify. "This is an issue across IDEs, AI or not," Almroth tells Dark Reading via an email exchange. "It’s almost inevitable: Any time you have a primitive that reads or writes files or executes commands, there is a risk of security breaches. Making a 'fully secure' sandbox environment is virtually impossible." Almroth cited AngularJS, a Java-based tool also developed by Google, as an example of a non-AI-based IDE with a similar issue. "[Google] introduced a sandbox in 2010 to prevent 'client-side template injection attacks' (XSS)," he says. "All versions of Angular v1 have had their sandbox bypassed. They never got it right, so in v2 it was completely removed." Related:Privilege Elevation Dominates Massive Microsoft Patch Update Other AI-based IDEs seem to suffer from similar issues, too, according to Pillar. Earlier research the firm disclosed about the prompt-injection flaw CVE-2026-22708 in the AI-assisted development environment Cursor demonstrates that the pattern repeats across agentic IDEs when tools designed for constrained operations become attack vectors if their inputs are not strictly validated, Lisichkin wrote. "The trust model underpinning security assumptions, that a human will catch something suspicious, does not hold when autonomous agents follow instructions from external content," he explained. How to Fix a Recurring IDE Issue The good news for AntiGravity is that Google acknowledged and fixed the prompt injection flaw identified by Pillar in February, not long after it was reported to them in January, according to Pillar. Pillar's research team was awarded a bug bounty for the find, though the amount was not disclosed. To solve the larger prompt-injection issue, however, the industry must move beyond sanitization-based controls toward execution isolation, Lisichkin suggested, since "every native tool parameter that reaches a shell command is a potential injection point." That means that those developing AI agentic IDEs must make it mandatory to audit for this class of vulnerability to ship agentic features safely, he said. While it's possible to achieve secure sandboxing during development, "it's incredibly hard to secure a development environment that absolutely must be able to read and write files while still invoking utilities," Almroth says. Moreover, "having an LLM in the mix adds another layer of complexity to a challenge companies have been struggling with for years," he says, which means those developing AI tools should be mindful of the issue before releasing new builds. About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports CISO Survey 2026: The State of Incident Response Readiness AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications KuppingerCole Business Application Risk Management Leadership Compass 2026 CISO AI Risk Report Access More Research Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap Security in the AI Age Critical Infrastructure Protection: Security Industrial Control Systems More Webinars You May Also Like VULNERABILITIES & THREATS Cheap Hardware Module Bypasses AMD, Intel Memory Encryption by Rob Wright NOV 25, 2025 VULNERABILITIES & THREATS Patch Now: Microsoft Flags Zero-Day & Critical Zero-Click Bugs by Jai Vijayan, Contributing Writer NOV 11, 2025 VULNERABILITIES & THREATS 350M Cars, 1B Devices Exposed to 1-Click Bluetooth RCE by Nate Nelson, Contributing Writer JUL 11, 2025 VULNERABILITIES & THREATS AI Agents Fail in Novel Ways, Put Businesses at Risk by Robert Lemos, Contributing Writer MAY 07, 2025 Editor's Choice VULNERABILITIES & THREATS EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses byRob Wright APR 14, 2026 8 MIN READ СLOUD SECURITY CSA: CISOs Should Prepare for Post-Mythos Exploit Storm byAlexander Culafi APR 13, 2026 6 MIN READ СLOUD SECURITY Navigating the Unique Security Risks of Asia's Digital Supply Chain byAlexander Culafi APR 15, 2026 3 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection LOADING... Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Critical Infrastructure Protection: Security Industrial Control Systems WED, APRIL 15, 2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Best practices for incident response planning Building a Robust SOC in a Post-AI World Industry Report: AI, SOC, and Modernizing Cybersecurity Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE