Critical Gemini CLI Vulnerability Lets Attackers Execute Arbitrary Code

HomeCyber Security News Critical Gemini CLI Vulnerability Lets Attackers Execute Arbitrary Code By Abinaya June 29, 2026 A critical security vulnerability in Google’s Gemini CLI has been disclosed, allowing attackers to execute arbitrary code in certain CI/CD environments, particularly GitHub Actions workflows. The issue, tracked as CVE-2026-12537, impacts multiple versions of the Gemini CLI and its related GitHub Action. The vulnerability affects @google/gemini-cli versions before 0.39.1 and 0.40.0-preview.3, as well as google-github-actions/run-gemini-cli versions earlier than 0.1.22. Security researchers identified that improper handling of workspace trust and tool execution policies could expose systems to remote code execution (RCE). Gemini CLI Vulnerability The root cause lies in how Gemini CLI previously handled “headless” environments, such as automated CI pipelines. In earlier versions, the CLI automatically trusted workspace folders when running in non-interactive mode. This meant that configuration files, including environment variables stored in local directories such as .gemini/.env, were loaded without verification. An attacker could exploit this behavior by injecting malicious environment variables into a repository. When a CI workflow processed untrusted input, such as a pull request, the Gemini CLI would load these variables and potentially execute arbitrary commands. This creates a direct path to remote code execution without requiring user interaction. Additionally, a second issue involved the –yolo mode, where Gemini CLI ignored fine-grained tool allowlists. If workflows permitted shell command execution, attackers could leverage prompt injection techniques to run unauthorized commands. This significantly increased the risk in automated pipelines handling untrusted data. The vulnerability has been rated critical, with CVSS metrics indicating network-based exploitation, low attack complexity, and no requirement for privileges or user interaction. Successful exploitation can result in the complete compromise of confidentiality, integrity, and availability. Notably, the flaw enables pre-sandbox host-level code execution in some CI environments. This means attackers could escape intended restrictions and execute commands directly on the host system running the pipeline. For instance, a malicious contributor could submit a pull request containing a crafted .gemini/.env file. If the CI pipeline uses a vulnerable version of Gemini CLI, it would automatically trust and load the file. This could trigger execution of embedded commands, allowing the attacker to access secrets, modify build artifacts, or pivot to other systems. Google has released patched versions addressing these issues. The updated Gemini CLI enforces explicit workspace trust in headless mode, aligning it with interactive behavior. Configuration files are no longer loaded unless the workspace is explicitly marked as trusted. The update also ensures that tool allowlisting is enforced even in –yolo mode, preventing unrestricted command execution. Users are strongly advised to: Upgrade to Gemini CLI version 0.39.1 or 0.40.0-preview.3, and run-gemini-cli version 0.1.22 or later. Review CI/CD workflows that process untrusted inputs. Set the environment variable GEMINI_TRUST_WORKSPACE to true only for trusted repositories. Implement strict tool allowlists and avoid enabling unnecessary command execution. Tracked as advisory GHSA-wpqr-6v78-jr5g, the vulnerability was responsibly disclosed by security researchers from Novee Security and Pillar Security. Given the widespread use of automated pipelines, this vulnerability highlights the risks of implicit trust in CI environments. It reinforces the need for strict input validation and execution controls.  Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News How Attackers Exploit Privileged Access and How to Lock Them Out  AiTM Phishing Kits Steal Console Credentials and MFA Codes from AWS Environments ManageEngine AD360 Integration Flaw Exposes User Identity and Role Information to Attackers Mistic Backdoor Blends With Microsoft Endpoint Security Tooling to Evade Detection 15 Best Linux Network Monitoring Tools in 2026 Latest News Cyber Security News Critical Dell Wyse Vulnerabilities Enable Remote Code Execution Attacks Cyber Security News Microsoft 365 Apps RCE Vulnerability Exploited Using a Malicious Excel File Cyber Security News Russia-Linked Turla Uses Compromised Infrastructure to Deploy STOCKSTAY in Ukraine Operations Cyber Security News ClawHub Skills Expose AI Agents to Remote Control Backdoors and Data Theft Attacks Cyber Security News Hackers Could Abuse WM_COPYDATA Callback Path to Execute Code Through Win32k Dispatch