Technical description
A critical remote code execution vulnerability in Gemini CLI, an open-source AI agent for terminal-based Gemini access, allowed attackers to execute arbitrary commands on the host system before sandbox initialization. The flaw stemmed from the agent automatically trusting workspace folder configurations without review, sandboxing, or human approval.
Attack vector
An attacker plants a malicious agent configuration file in a target workspace folder (e.g., via pull request, shared repository, or compromised dependency). When Gemini CLI or the run-gemini-cli GitHub Action executes in that workspace, it loads the malicious configuration and executes attacker-controlled commands on the host with the agent's privileges, granting access to secrets, credentials, source code, and tokens for lateral movement to downstream systems and supply chain compromise.
Affected systems
Gemini CLI (open-source terminal agent for Google Gemini) and the run-gemini-cli GitHub Action, affecting developers and CI/CD pipelines using these tools prior to the April 2026 patch. Researchers at Novee Security identified the vulnerability and worked with Google to coordinate disclosure and patching.
Mitigation
Google has patched both Gemini CLI and the run-gemini-cli GitHub Action. Update to the latest versions immediately. Review CI/CD pipeline logs and GitHub Actions workflows for evidence of malicious configuration loading or unexpected command execution. Audit workspace trust models for other AI agents and coding assistants—similar vulnerabilities may exist in Claude Code, GitHub Copilot Agent, and other tools that auto-load workspace configurations. Implement workspace sandboxing and configuration review gates before agent execution.