Google has fixed a critical flaw in Gemini CLI and its GitHub Actions workflow that could let attackers run arbitrary commands on host systems, with the issue rated CVSS 10.0 and affecting versions used in headless CI environments.
KEY FACTS
- Severity The flaw carries a CVSS score of 10.0 and has no CVE identifier.
- Affected software It impacts @google/gemini-cli and google-github-actions/run-gemini-cli before the fixed releases.
- Attack path A malicious configuration in a trusted workspace could trigger code execution before sandboxing starts.
- Fix The update requires folders to be explicitly trusted before configuration files are loaded.
A technical analysis by Novee Security said an unprivileged external attacker could force malicious content to load as Gemini configuration, which could then lead to command execution on the host. The report said the weakness affects @google/gemini-cli versions below 0.39.1 and 0.40.0-preview.3, along with google-github-actions/run-gemini-cli below 0.1.22.
Google said the impact is limited to workflows using Gemini CLI in headless mode. In earlier versions, the tool automatically trusted workspace folders to load configuration and environment variables, including in CI jobs that may process untrusted content such as pull requests.
The update changes that behavior so folders must be explicitly trusted before configuration files can be accessed. Google advised users to review their workflows and set the trust variable only for trusted inputs, while hardening workflows that handle untrusted submissions.
Google also said version 0.39.1 changes how the policy engine handles tool allowlisting in –yolo mode. The disclosure said some workflows may fail silently unless allowlists are adjusted to fit the task.
Separately, the disclosure said the same research found high-severity issues in Cursor, including a prompt injection path that could lead to code execution and an unpatched access control problem that could expose local API keys and session tokens. Cursor said the access is limited to the local machine where the extension is installed.
WHY IT MATTERS
The flaw matters because CI systems and AI coding tools often run with broad access to code, credentials and build environments. In those settings, a trust bypass can turn routine automation into a route for remote code execution or data exposure.