Google Gemini CLI Flaw Enables Command Execution on Hosts systems

A maximum-severity remote code execution (RCE) vulnerability in Google Gemini CLI has been disclosed by Novee Security, allowing unauthenticated external attackers to execute arbitrary commands directly on host systems, turning CI/CD pipelines into viable supply-chain attack vectors.

Google assigned the flaw a CVSS score of 10.0, the highest possible rating, underscoring the critical nature of the issue.

Security researcher Elad Meged and the Novee Security team discovered the vulnerability in both the @google/gemini-cli package and the google-github-actions/run-gemini-cli GitHub Action.

When processed by Gemini CLI in non-interactive environments, such as automated CI/CD jobs, the tool implicitly trusts and executes this configuration resulting in remote code execution on the host system.

Google Gemini CLI Vulnerability

The vulnerability stems from Gemini CLI’s handling of workspace trust in headless environments. In these scenarios, the tool automatically loads configuration files from the working directory without validation or user approval.

An attacker can exploit this behavior by submitting a malicious pull request containing crafted configuration files.

Once the CI/CD workflow runs, the Gemini CLI treats attacker-controlled content as trusted configuration. This triggers command execution on the host system before any sandbox protections are applied.

Notably, this attack does not rely on prompt injection or manipulation of AI model behavior. Instead, it operates at the infrastructure level, bypassing the AI decision-making process entirely.

The execution happened at the infrastructure layer, entirely bypassing the AI system’s reasoning and safety mechanisms.

Every google-github-actions/run-gemini-cli GitHub Action workflow below the patched versions was affected. Successful exploitation gave an unprivileged external attacker code execution on the CI/CD runner, granting access to:

• Repository source code and build artifacts
• Secrets and credentials stored in the workflow environment
• Cloud service tokens with downstream access
• Lateral movement paths into connected production systems

Patches Released

Google released patches addressing the vulnerability in:

• @google/gemini-cli versions 0.39.1 and 0.40.0-preview.3
• google-github-actions/run-gemini-cli version 0.1.22

Organizations using any earlier version of these packages in CI/CD workflows should upgrade immediately and audit workflow logs for signs of unexpected configuration file loading or anomalous command execution.

This vulnerability arrives amid accelerating software supply chain attacks, including the axios npm package hijack (March 2026), the Shai-Hulud self-replicating worm (2025), the XZ Utils backdoor (2024), and the Polyfill.io CDN hijack (2024).

AI coding agents now sit inside those same pipelines, according to Noovee Security, holding the execution privileges of trusted contributors and reading from the same workspaces developers touch.

AI safety reviews probe model behavior. None of these tools evaluate how all layers, prompts, files, configuration, CI/CD runners, cloud credentials, and host environments interact when an external attacker actively manipulates inputs.

Security teams should treat AI agents running in CI/CD pipelines as privileged infrastructure components, subject to the same scrutiny as any other trusted build system.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Google Gemini CLI Flaw Enables Command Execution on Hosts systems appeared first on Cyber Security News.