Gemini CLI critical remote code execution flaw is patched
Updated
Updated · SecurityWeek · Apr 30
Gemini CLI critical remote code execution flaw is patched
8 articles · Updated · SecurityWeek · Apr 30
Novee Security found the bug, which Google fixed in Gemini CLI and the run-gemini-cli GitHub Action.
The agent trusted workspace folders and loaded unreviewed configurations before sandboxing, letting attackers run arbitrary host commands and potentially steal secrets, credentials and source code.
Researchers said the flaw could enable lateral movement and CI/CD supply-chain attacks, underscoring wider risks as AI coding agents gain trusted access in developer workflows.
In the rush for AI innovation, are we building developer tools that are simply insecure by design?
Will the EU's strict new cyber laws finally force tech giants to secure their AI coding tools?
Critical RCE Vulnerability in Google Gemini CLI Exposes CI/CD Pipelines to Full Host Compromise
Overview
In late April 2026, Novee Security disclosed a critical vulnerability in Google’s Gemini CLI toolchain caused by a design flaw that automatically trusted workspace folders in headless mode. A coding oversight made the system treat unknown trust states as trusted, allowing attackers to inject malicious configurations that executed commands on the host before security sandboxes activated. This led to full system compromise, enabling token theft and supply-chain attacks. Google quickly released patches requiring explicit workspace trust declarations and hardened permissive execution modes. The incident revealed how infrastructure-level weaknesses in AI tools can create severe risks, emphasizing the need for explicit trust and strict security controls in AI-powered CI/CD environments.