{"id":7975,"date":"2026-04-30T11:31:34","date_gmt":"2026-04-30T11:31:34","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7975"},"modified":"2026-04-30T11:31:34","modified_gmt":"2026-04-30T11:31:34","slug":"max-severity-rce-flaw-found-in-google-gemini-cli","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7975","title":{"rendered":"Max-severity RCE flaw found in Google Gemini CLI"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Security researchers are warning about a max severity vulnerability in Google Gemini CLI that could allow remote code execution (RCE) in environments where the tool processes untrusted inputs.<\/p>\n

The issue was disclosed by Novee Security researchers and affects the @google\/gemini-cli package and its associated GitHub Action, widely used in CI\/CD workflows.<\/p>\n

\u201cGemini CLI (@google\/gemini-cli) and the run-gemini-cli GitHub Action are being updated to harden workspace trust and tool allowlisting, in particular when used in untrusted environments like GitHub Actions,\u201d reads a GitHub advisory <\/a>issued on the flaw.<\/p>\n

Google acknowledged the flaw and thanked security researchers Elad Meged<\/a> from Novee Security and Dan Lisichkin<\/a> from Pillar Security for reporting the issue through its Vulnerability Rewards Program.<\/p>\n

The issue was fixed<\/a> in @google\/gemini-cli versions 0.39.1 and 0.40.0-preview.3. A run-gemini-cli fix was also released in version 0.1.22.<\/p>\n

<\/a>Overtrusting workspace configurations<\/h2>\n

The problem lay in how the CLI handled workspace trust and command execution in automated, non-interactive environments.\u201cIn affected versions, Gemini CLI running in CI environments automatically trusted workspace folders for the purpose of loading configurations and environment variables,\u201d the advisory said.<\/p>\n

This could have been easily exploited by attackers by injecting their own malicious configurations into the trusted workspace.<\/p>\n

\u201cThe vulnerability allowed an unprivileged external attacker to force their own malicious content to load as Gemini configuration,\u201d Novee researcher, Elad Meged, said in a blog post<\/a>. \u201cThis triggered command execution directly on the host system, bypassing security before the agent\u2019s sandbox even initialized.\u201d<\/p>\n

The impact of the flaw was limited to workflows using Gemini CLI<\/a> in headless mode, without an interactive interface.<\/p>\n

While a CVE ID has not been assigned to the flaw yet, Meged said Google assessed a severity rating of 10.0, the maximum on the CVSS scale. The maximum severity rating likely comes from the exploit requiring low complexity, minimal privileges, and little to no user interaction.<\/p>\n

Google did not immediately respond to CSO\u2019s request for comments.<\/p>\n

The flaw was, however, categorized under CWE-20, CWE-77, CWE-78, and CWE-200, which roughly refer to improper input validation, command injection, and information disclosure weaknesses.<\/p>\n

<\/a>The behavior is now fixed<\/h2>\n

Google has addressed the issue by removing implicit workspace trust in headless environments and enforcing stricter tool controls, effectively changing how Gemini CLI behaves in CI\/CD pipelines.<\/p>\n

The patched versions (0.39.1 and 0.40.0-preview.3) now require explicit trust decisions before loading workspace configurations, aligning non-interactive execution with the same safeguards expected in interactive use.<\/p>\n

Additionally, the fix closed a critical gap in \u201c\u2013yolo\u201d mode by ensuring that tool allowlisting is actually enforced, preventing loosely scoped permissions from turning into unrestricted command execution.<\/p>\n

Previously, allowlisting could be bypassed, letting CLI run commands outside the intended restrictions.<\/p>\n

Google has also brought in a broader ecosystem change. The run-gemini-cli GitHub Action (patched in v0.1.22) now automatically pulls and executes the latest version of the CLI. Workflows that pin a specific gemni-cli-version are advised to upgrade to a patched release and review their existing Gemini CLI configurations to ensure they don\u2019t rely on unsafe defaults.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Security researchers are warning about a max severity vulnerability in Google Gemini CLI that could allow remote code execution (RCE) in environments where the tool processes untrusted inputs. The issue was disclosed by Novee Security researchers and affects the @google\/gemini-cli package and its associated GitHub Action, widely used in CI\/CD workflows. \u201cGemini CLI (@google\/gemini-cli) and […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7975","post","type-post","status-publish","format-standard","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7975"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7975"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7975\/revisions"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7975"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7975"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7975"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}