CRITICAL: Google Patches CVSS 10 Gemini CLI Flaw That Turned CI Workspaces Into Free RCE

If you have wired Google's Gemini CLI into a continuous integration pipeline, stop reading this and go check your version. A vulnerability with the maximum possible CVSS score of 10.0 sat in the headless mode of Gemini CLI for an unknown stretch of time, quietly granting any outsider with the ability to drop a file into a build workspace the keys to your CI host. Google patched it on April 30, 2026, in versions 0.39.1 and 0.40.0-preview.3 of the @google/gemini-cli package, alongside a companion fix for the official google-github-actions/run-gemini-cli action below 0.1.22. The advisory tracks as GHSA-wpqr-6v78-jr5g. A formal CVE identifier is still being assigned at the time of writing, which is itself a small fingerprint of how fast the AI tooling ecosystem has outpaced the vulnerability bookkeeping that normally accompanies a flaw of this severity.

The mechanic is almost insultingly simple, which is part of what makes it so bad. Gemini CLI supports a headless mode designed for automation. Stick it inside a GitHub Actions runner, point it at a repository, and let it loose to summarize diffs, generate tests, triage issues, or whatever AI-assisted task the engineering team dreamed up that week. To do its job, the agent reads configuration from a .gemini directory inside the workspace it is operating on. That directory can carry settings, instructions, and crucially, environment variable definitions that the CLI loads before it does much of anything else. In interactive use this is fine, because a human is sitting at the keyboard explicitly trusting the folder they just opened. In headless mode, Gemini CLI was implicitly trusting whatever workspace it landed in. No prompt, no approval, no sandbox check, just load and go.

That is the whole vulnerability. An unprivileged external attacker, the classic threat model an organization should fear most, could open a pull request against a repository whose CI pipeline used Gemini CLI, drop a malicious .gemini directory into the PR's tree, and wait for the workflow to clone the branch and feed it to the agent. The agent would dutifully load the attacker's configuration and the environment variables it defined, and from there the path to remote code execution on the runner host was short. As Elad Meged from Novee Security, one of the researchers who reported the bug along with Dan Lisichkin from Pillar Security, put it bluntly, this had nothing to do with prompt injection or the model deciding to misbehave. It was an infrastructure-level trust failure. The model was a bystander. The plumbing did the damage.

Google's own write-up, published with the advisory, conceded the point in a sentence that should be tattooed on the inside of every AI agent developer's eyelids. If used with untrusted directory contents, the company wrote, this could lead to remote code execution via malicious environment variables in the local .gemini directory. Translation, you let attacker-controlled data behave as trusted configuration in a process that has access to your secrets, your source code, and your build artifacts. The Novee team spelled out the consequence with similar clarity. Code execution on the host running the agent gave an unprivileged outsider access to whatever secrets, credentials, and source code the workflow could reach. In a typical GitHub Actions setup, that means cloud deployment keys, package registry tokens, signing certificates, and any other secret the workflow happens to mount. For a downstream supply chain attacker, this is the dream scenario.

Patches arrived quickly once Google was notified. Version 0.39.1 and the preview track 0.40.0-preview.3 of the npm package, plus the 0.1.22 release of the run-gemini-cli action, fix the underlying logic. Workspace folder trust is no longer implicit in headless contexts. Operators who want the old loose behavior must opt in by setting the GEMINI_TRUST_WORKSPACE environment variable. Google also tightened the tool allowlisting in the so-called yolo mode, which as the name suggests was even more permissive than the default. If your team standardized on Gemini CLI inside its GitHub Actions or any other CI runner, upgrade today, audit any historical workflows that ran on attacker-touched branches, and rotate every secret that was reachable from those runners. Treat this like the credential exposure it almost certainly was if you were running a vulnerable version against public pull requests.

The Gemini disclosure landed alongside two related and deeply uncomfortable findings in Cursor, the AI-assisted code editor that has become the default IDE for a chunk of the developer population. Cursor versions prior to 2.5 carry CVE-2026-26268, a sandbox escape via malicious Git hooks that fires when a user clones a repository containing an embedded bare repository with a poisoned hook script. CVSS for that one sits at 8.1, and the patch is available in Cursor 2.5. Less encouragingly, LayerX Security disclosed a separate flaw they call CursorJacking, scored at 8.2, which lets installed extensions reach into the editor's local SQLite database and exfiltrate the API keys that Cursor stores there for talking to model providers. CursorJacking remains unpatched as of the disclosure window. The throughline across all three issues is the same uncomfortable truth. AI coding tools are accumulating power, secrets, and trust at a rate that has clearly outpaced the threat modeling around them.

In the wild exploitation has not been confirmed for the Gemini flaw, which is the small mercy in this story. The research came from defensive analysis of CI/CD supply chain risks rather than incident response on a known compromise. That said, the absence of a smoking gun does not mean the gun never went off. Anyone running Gemini CLI in a public-facing repository's pull request workflow before April 30 should assume that any external pull request opened against a vulnerable workflow had a chance to plant configuration. The detection idea most worth running is straightforward. Pull the workflow run logs for the past sixty days, look for runs triggered by external pull requests where Gemini CLI was invoked, and check whether the checked-out tree contained a .gemini directory the maintainers did not author. While you are at it, hash the configuration files in your own .gemini folders against a known-good baseline, because if an attacker did get a foothold, leaving a persistent settings change behind in the maintainers' own copy of the directory is the obvious next move.

Beyond patching, the longer term takeaway here is about how AI agent tooling treats the workspace. The whole point of these agents is that they ingest local context, but local context in a CI runner is exactly the place where that context cannot be trusted. Treat any AI agent running in automation as a privileged process that should only consume configuration from a path the maintainer explicitly controls, not from whatever happens to be checked out. Pin agent versions in CI rather than tracking latest. Run agents with the minimum secrets they need rather than the runner's default environment. And review the trust model of any new agent tool the same way you would review a new build dependency, because functionally it is one with a much bigger blast radius.

For MSPs and security consultancies, the Gemini and Cursor disclosures together are an obvious doorway into the AI tooling governance conversation that many clients have been quietly avoiding. The pitch nearly writes itself. Engineering teams have adopted AI coding assistants and CLI agents at a speed that has left the security review queue back at the starting line, and these flaws are early evidence that the integration patterns are not safe by default. A focused engagement covering AI tool inventory, CI/CD secret scoping, workspace trust review, and incident readiness for compromised pipelines is exactly the kind of advisory work that fits a quarterly retainer. Pair it with secrets rotation tooling and dark web monitoring for any leaked tokens and the upsell story holds together neatly. The clients who say they do not use Gemini CLI today will almost certainly be running something equivalent in six months. Get the conversation on the calendar before the next CVSS 10 lands.