Technical description
Gemini CLI (Google's open-source AI terminal agent) in --yolo mode ignores tool allowlists and auto-approves all commands. An attacker can create a public GitHub issue on a repository with hidden malicious prompts. When the agent automatically triages the issue, it executes the injected instructions—extracting secrets, pivoting to write-access tokens, and achieving full supply chain compromise without human interaction.
Attack vector
Attacker posts a public issue on a target repository (e.g. a Google project) with indirect prompt injection payload hidden in the issue text. A developer or CI system runs Gemini CLI with --yolo mode to auto-triage the issue. The agent reads the malicious prompts, extracts internal secrets from the build environment, sends them to an attacker-controlled server, then uses those credentials to obtain a write-access token. Full repository compromise follows. Zero user interaction required in CI/CD.
Affected systems
Gemini CLI in --yolo mode. The issue was disclosed May 7, 2026 by Pillar Security with a CVSS score of 10.0 (maximum severity). Google has patched the vulnerability in the latest Gemini CLI release.
Mitigation
Update Gemini CLI immediately. Never use --yolo mode in production or CI/CD pipelines. Implement strict tool allowlists for AI agents. Review GitHub issues on public repositories for indirect prompt injection payloads (unusual formatting, hidden text, base64 blobs). Rotate secrets that may have been exposed if Gemini CLI was used in auto-triage mode before the patch.