Google has patched a vulnerability in its Antigravity agentic IDE that researchers said could be used to achieve code execution by combining file creation with a flaw in the app’s file-search tool, according to a technical analysis published in April 2026.
KEY FACTS
- Tool flaw The issue involved Antigravity’s find_by_name tool and weak input sanitization.
- Attack path An attacker could inject the -X flag through the Pattern parameter to make fd execute binaries.
- Security mode The technique could bypass Strict Mode controls on network access, workspace writes and sandboxed commands.
- Fix Google addressed the problem after disclosure on Jan. 7, 2026, with remediation completed by Feb. 28.
Pillar Security said in a technical analysis that the flaw worked because the tool call ran before Strict Mode checks were enforced and was treated as a native invocation rather than a constrained action. That allowed malicious input in the Pattern field to pass directly to the underlying fd command.
The report said an attacker could stage a malicious script using Antigravity’s permitted file creation feature, then trigger execution through a search request that looked legitimate. In one example, a crafted Pattern value of -Xsh would cause matched files to be passed to sh for execution.
The disclosure also said the attack could be delivered through indirect prompt injection, such as when a user opens an untrusted file containing hidden instructions for the AI agent. In that case, no additional user interaction would be needed after the prompt injection landed.
The findings come amid a wider wave of research into weaknesses in AI-powered development tools, including prompt injection, memory poisoning and sandbox escapes. Other recently reported issues have affected tools from Anthropic, Google, GitHub, Cursor, Microsoft and Salesforce.
WHY IT MATTERS
The case shows how permissive tools inside AI coding environments can become attack paths when input is not strictly checked. For developers, the risk is that a trusted workspace feature can be turned into code execution if an attacker can influence what the agent sees or runs.