Google Gemini CLI Vulnerabilities Allow Attackers to Execute Commands on Host Systems

A critical remote code execution vulnerability in the Google Gemini CLI and its associated GitHub Action. Assigned a maximum severity score of CVSS 10.0, the flaw allowed unprivileged external attackers to execute commands directly on host systems.

This vulnerability effectively turned automated CI/CD pipelines into potential attack vectors in the supply chain.

Unlike typical AI exploits, this did not rely on prompt injection or model manipulation.

Instead, it was an infrastructure-level exploit that triggered before the AI agents’ sandbox could even initialize.

Google Gemini CLI Vulnerabilities

The core issue was how the Gemini CLI handled workspace trust in non-interactive environments.

When operating in headless mode during a CI/CD job, the CLI automatically trusts the current workspace folder.

It loaded any agent configuration found in that directory without requiring human approval, security reviews, or sandboxing.

An attacker could easily plant a malicious configuration file in a repository’s workspace by opening a standard pull request.

The Gemini agent would silently trust this file, resulting in immediate code execution on the host machine running the workflow.

This host-level execution grants an unprivileged outsider access to whatever secrets, cloud credentials, and source code the workflow can reach.

This level of access is enough to facilitate token theft, supply-chain pivots, and lateral movement into downstream production environments.

Google has released security patches to address this critical vulnerability. Administrators must upgrade their environments immediately to prevent exploitation.

The following patched versions resolve the unauthenticated execution flaw:

• Update @google/gemini-cli to version 0.39.1 or 0.40.0-preview.3.
• Update google-github-actions/run-gemini-cli to version 0.1.22.

According to Novee Research, AI coding agents often run within development pipelines with the same execution privileges as trusted human contributors.

This deep integration means vulnerabilities in AI infrastructure pose a massive supply-chain risk.

The Gemini CLI flaw demonstrates that modern AI security must protect the entire path from the model to the application, including shell tools, repository files, and deployment workflows.

Threat actors increasingly target the development pipeline to distribute malicious payloads to downstream users at scale.

Recent notable software supply-chain incidents highlight this accelerating trend:

• A hijacked maintainer account compromised millions of axios npm package installations in March 2026.
• The Shai-Hulud worm hit hundreds of npm packages in 2025, deploying a data wiper in its v2.0 variant.
• Attackers planted an RCE backdoor in XZ Utils through OpenSSH on affected Linux systems in 2024.
• The Polyfill.io CDN hijack in 2024 forced adopted scripts to automatically download malicious code.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Google Gemini CLI Vulnerabilities Allow Attackers to Execute Commands on Host Systems appeared first on Cyber Security News.