Google Fixes CVSS 10 Gemini CLI Vulnerability Enabling GitHub Issue-Based RCE

Summary

Google fixed a critical CVSS 10 vulnerability in Gemini CLI discovered by Pillar Security that allowed attackers to inject malicious commands into GitHub issues. By exploiting prompt injection and a dangerous "–yolo mode" setting that auto-approves commands, a threat actor could steal GitHub tokens and achieve full repository compromise. The flaw affected over 101,000 starred projects and was patched in Gemini CLI v0.39.1 and run-gemini-cli v0.1.22 by April 24, 2026.

Full text

Security Artificial Intelligence GoogleGoogle Fixes CVSS 10 Gemini CLI Vulnerability Enabling GitHub Issue-Based RCE Google patches a CVSS 10 Gemini CLI vulnerability that allowed hackers to use prompt injection and privilege escalation for a full supply chain compromise. byDeeba AhmedMay 6, 20262 minute read A major security vulnerability recently put Google’s official Gemini-cli repository and its associated GitHub Actions at risk of a total takeover. Researchers at the firm Pillar Security found a way to compromise the repository, a popular project with over 101,000 stars on GitHub. Researchers claim that a threat actor could have used the flaw to launch a full supply chain compromise. The vulnerability was so severe that it earned a CVSS 10 rating. According to Pillar Security, the issue was not with the AI model itself but the way the system was built. The team, led by Dan Lisichkin, found that a hacker could gain control of the repository by simply opening a public Issue on GitHub. How the Trust Issues Exploit Worked The investigation began when automated scanners identified a vulnerability in Google’s Google/draco repository caused by Gemini running in –yolo mode, a dangerous setting that enables the gemini-cli agent to auto-approve shell commands and tool calls without human confirmation. This allowed for an attack method the team called TrustIssues, which involved using a technique called prompt injection. Because Gemini was set to automatically read and label incoming GitHub issues while in –yolo mode, a cyberattacker could hide secret commands inside the text of an issue. When Gemini read the message, it would stop its normal job and execute the attacker’s hidden shell commands instead. The Lethal Trifecta Further investigation revealed a lethal trifecta that made the attack possible. For your information, a lethal trifecta is a situation where a tool can access private data, read untrusted content from the public, and communicate with external servers. So, what happened here is that Gemini had access to private data, it was allowed to read text from the public, and it could send data to external servers. Researchers noted that even though Google tried to keep GitHub tokens away from the AI agent, those keys were still saved on the computer’s disk. Specifically, a tool called actions/checkout saved these credentials in a file named .git/config. Gemini was tricked into reading this file and sending the keys to the hacker. Attack flow (Source: Pillar Security) The Road to a Fix In a proof-of-concept, researchers demonstrated the entire attack chain, showing how a threat actor could perform a privilege escalation after stealing the initial keys. By using the stolen data to trigger other tasks like smoke-test.yml, the attacker eventually gained contents: write permissions. This would empower them to change the actual code in the gemini-cli repository. Following the initial report by Pillar Security on 16 April 2026 involving the Google/draco repository, the team demonstrated this full attack on gemini-cli on 20 April, leading Google to release security advisory GHSA-wpqr-6v78-jr5g and software patches by 24 April 2026. The flaw is now patched in Gemini CLI (version 0.39.1) and run-gemini-cli (version 0.1.22). These new versions limit what commands the AI agent can run, even in –yolo mode. https://45700826.fs1.hubspotusercontent-na1.net/hubfs/45700826/gemini-cli%20rce%20demo.mp4 Watch the demo “Preventing this class of attack requires treating AI agents as privileged code execution, not just assistants,” researchers concluded, suggesting that developers should set persist-credentials: false in their GitHub settings to keep their GitHub tokens off the disk. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts CybersecurityGemini CLIGitHubGooglePillar SecurityRCETechnologyVulnerability Leave a Reply Cancel reply View Comments (0) Related Posts Hacking News Security Even Solar Panels Can Be Hacked Believe it or not, your Solar Panel can be hacked as well — Just like this man who… byRyan De Souza Security Dude Finds Flaw in World’s Biggest Gambling Site, Steals $1M in Bitcoin An online gaming/gambling site lost $1 million in bitcoin to an attacker who exploited its random number generation… byWaqas Read More Security Cyber Attacks Data Breaches Hacking News Hackers Claim Magento Breach via Third-Party, Leak CRM Data of 700K Users Another day, another data breach claim involving a high-profile company! byWaqas Cyber Attacks Phishing Scam Security Bypassing LastPass’s Security? A phishing Attack Would Serve Just Right LastPass Password Manager – renowned for being a secure vault for user’s passwords, has recently demonstrated vulnerabilities that… byAli Raza

Entities