In a major security update, Google has fixed a critical vulnerability in its Gemini CLI tool that could have allowed attackers to execute arbitrary commands on affected systems. The flaw, which received a maximum severity score of 10.0 on the Common Vulnerability Scoring System scale, impacted developers using Gemini CLI in automated environments like CI/CD pipelines.
This issue affected both the “@google/gemini-cli” npm package and the “google-github-actions/run-gemini-cli” workflow used in GitHub Actions. Security researchers warned that the vulnerability could be exploited to achieve Remote Code Execution (RCE), posing a serious risk to software supply chains.
The vulnerability was discovered by cybersecurity researchers at Novee Security, who explained that the issue allowed attackers to inject malicious configuration into Gemini CLI environments.
According to their report, an unauthenticated attacker could force the CLI tool to load malicious configuration files. This could trigger command execution directly on the host system—even before any sandbox protection mechanisms were activated.
This made the flaw particularly dangerous, as it bypassed key security layers and enabled attackers to run commands without proper authorization.
The vulnerability impacted the following versions:
- @google/gemini-cli versions below 0.39.1
- @google/gemini-cli versions below 0.40.0-preview.3
- google-github-actions/run-gemini-cli versions below 0.1.22
Importantly, the flaw did not receive a CVE identifier, but its severity remains critical due to the potential impact.
The root cause of the vulnerability lies in how Gemini CLI handled “workspace trust” in headless environments (such as CI/CD workflows).
Previously, Gemini CLI automatically trusted the workspace folder it was running in. This meant it would load configuration files and environment variables from that folder without verification or user approval.
In scenarios where CI pipelines process untrusted inputs—such as pull requests from unknown contributors—this behavior created a serious risk.
Attackers could craft a malicious .gemini/ configuration directory containing harmful environment variables or scripts. When the CI pipeline executed Gemini CLI, it would unknowingly load this malicious configuration, leading to remote code execution.
This effectively turned CI/CD pipelines into potential entry points for supply chain attacks.
CI/CD pipelines are a core part of modern software development. Tools like Gemini CLI are often integrated into automated workflows to streamline tasks.
However, when such tools blindly trust input directories, they can expose organizations to major risks. This vulnerability highlights how even trusted tools can become attack vectors if not configured securely.
For companies handling open-source contributions or public repositories, the risk becomes even higher due to untrusted inputs.
Google has addressed the issue by introducing stricter controls around workspace trust. With the latest updates:
- Gemini CLI no longer automatically trusts workspace folders
- Users must explicitly mark folders as trusted before configuration files are loaded
- Security checks are now enforced before executing commands
This change ensures that untrusted inputs cannot easily inject malicious configurations into CI workflows.
Google has advised developers and organizations to review their workflows and apply the following best practices:
1. For Trusted Workflows
If your CI pipeline only processes trusted inputs (such as internal code or known contributors), you can explicitly enable trust by setting:
GEMINI_TRUST_WORKSPACE: 'true'2. For Untrusted Inputs
If your workflows handle external contributions or unknown inputs:
- Follow hardening guidelines provided by Google
- Avoid blindly trusting workspace folders
- Carefully validate configuration files before execution
Google has also strengthened security for Gemini CLI’s “–yolo” mode. This mode allows automatic execution of commands without user approval, which can be risky.
Previously, this mode ignored allowlists defined in configuration files and executed all commands—including potentially dangerous ones like run_shell_command.
With the update:
- The policy engine now enforces tool allowlisting even in “–yolo” mode
- Only approved commands can run automatically
- This reduces the risk of prompt injection attacks leading to RCE
However, Google warned that some existing workflows may break if they relied on the old behavior. Developers may need to update their allowlists to match the new security model.
This critical Gemini CLI vulnerability serves as a strong reminder that CI/CD security must not be overlooked. Even small misconfigurations—like automatically trusting a directory—can open the door to severe attacks.
By fixing this issue, Google has taken an important step toward securing developer workflows and reducing supply chain risks. Still, the responsibility also lies with developers to review their CI pipelines, apply security best practices, and stay updated with the latest patches.
Keeping tools updated and enforcing strict trust policies can significantly reduce the chances of exploitation in modern development environments.
Interesting Article : CVE-2026-25874, LeRobot RCE Vulnerability Raises Major Security Concerns