Critical Gemini CLI Flaw Enabled Host Code Execution, Supply Chain Attacks

Summary

A critical remote code execution vulnerability was discovered in Gemini CLI, an open source AI agent by Google, that allowed attackers to execute arbitrary commands on the host machine by planting malicious configuration files. The flaw, patched by Google in both Gemini CLI and the run-gemini-cli GitHub Action, could enable supply chain attacks in CI/CD pipelines by giving attackers access to secrets, credentials, and source code. The vulnerability did not require prompt injection or model manipulation—it exploited the agent's automatic trust of workspace configurations without sandboxing or human approval.

Full text

A critical remote code execution vulnerability was recently discovered by researchers in Gemini CLI, an open source AI agent designed to provide lightweight access to Gemini directly from a terminal. The vulnerability, patched by Google in both Gemini CLI and the ‘run-gemini-cli’ GitHub Action, was identified by researchers at Novee Security. The researchers noticed that “Gemini CLI automatically trusted the current workspace folder, loading any agent configuration it found there without review, sandboxing, or human approval.” An attacker who could plant a malicious configuration in that folder could cause the AI agent to execute arbitrary commands on the host before sandbox initialization. “Across every affected workflow, the impact was the same: code execution on the host running the agent gave an unprivileged outsider access to whatever secrets, credentials, and source code the workflow could reach,” Novee researchers explained. According to the researchers, a threat actor could have exploited the vulnerability to steal tokens and gain lateral movement to downstream systems. Advertisement. Scroll to continue reading. In the context of a CI/CD pipeline, the attacker could have leveraged the vulnerability to carry out a supply chain attack. Novee researchers noted: “AI coding agents now sit inside CI/CD pipelines holding the execution privileges of a trusted contributor, reading from the same workspaces a contributor would touch. This level of access can lead to critical supply-chain attacks, the type that stem from the developer workflow itself.” The attack did not involve any prompt injection or model decision. A different team of researchers recently demonstrated that AI agents associated with Claude Code Security Review, Gemini CLI Action, and GitHub Copilot Agent could be hijacked via malicious GitHub comments. Related: Critical GitHub Vulnerability Exposed Millions of Repositories Related: Google Antigravity in Crosshairs of Security Researchers, Cybercriminals Related: Checkmarx Confirms Data Stolen in Supply Chain Attack Related: Bitwarden NPM Package Hit in Supply Chain Attack Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs 38 Vulnerabilities Found in OpenEMR Medical SoftwareCritical GitHub Vulnerability Exposed Millions of RepositoriesVimeo Confirms User and Customer Data BreachRobinhood Vulnerability Exploited for Phishing AttacksElectric Motorcycles and Scooters Face Hacking Risks to Security and Rider SafetyMedtronic Hack Confirmed After ShinyHunters Threatens Data LeakMalicious AI Prompt Injection Attacks Increasing, but Sophistication Still Low: GoogleEnergy and Water Management Firm Itron Hacked Latest News EnOcean SmartServer Flaws Expose Buildings to Remote HackingCritical cPanel & WHM Vulnerability Exploited as Zero-Day for Months‘Copy Fail’ Logic Flaw in Linux Kernel Enables System TakeoverSandhills Medical Says Ransomware Breach Affects 170,000Fresh LiteLLM Vulnerability Exploited Shortly After DisclosureHundreds of Internet-Facing VNC Servers Expose ICS/OTCheckmarx Confirms Data Stolen in Supply Chain AttackIranian Cyber Group Handala Targets US Troops in Bahrain Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: A Step-by-Step Approach to AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveMongoDB has appointed Doug Bowers as Chief Information Security Officer.Ben Wilkens has been promoted to Director of Cybersecurity at NMFTA.Cato Networks has appointed Meital Koren as Chief Legal Officer.More People On The MoveExpert Insights The Mythos Moment: Enterprises Must Fight Agents with Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Why Cybersecurity Must Rethink Defense in the Age of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email

Entities