High

A critical remote code execution (RCE) vulnerability was discovered in Google’s Gemini CLI and its associated GitHub Action, receiving the maximum severity rating of CVSS high. The flaw allowed unauthenticated external attackers to execute arbitrary commands directly on host systems running affected CI/CD workflows. This transformed automated development pipelines into high-risk supply chain attack vectors, exposing organizations to severe compromise. Unlike traditional AI-targeted attacks that depend on prompt injection or manipulating model outputs, this vulnerability operated at the infrastructure level and triggered before the AI agent’s sandbox protections could initialize.

The root cause was traced to how Gemini CLI handled workspace trust in non-interactive or headless CI/CD environments. When executed during automated workflows, the CLI automatically trusts the current workspace directory and loads any agent configuration files present without requiring user approval, validation, or sandbox enforcement. This created a dangerous attack path where an adversary could submit a seemingly harmless pull request containing a malicious configuration file. Once the CI/CD workflow executed, Gemini CLI would silently process the attacker-controlled configuration, resulting in immediate host-level command execution on the machine running the pipeline.

Successful exploitation granted attackers access to all resources available to the workflow environment, including sensitive API tokens, cloud credentials, internal source code repositories, deployment secrets, and infrastructure access keys. Such access could enable token theft, lateral movement across connected systems, downstream production compromise, and large-scale software supply chain attacks. Security researchers emphasized that AI coding agents often operate with privileges equivalent to trusted developers, making infrastructure flaws in these tools particularly dangerous because they bypass traditional trust assumptions embedded in modern software development pipelines.

Google has released patches to remediate the issue, and administrators are strongly advised to update immediately to secure versions: @google/gemini-cli version 0.39.1 or 0.40.0-preview.3, and google-github-actions/run-gemini-cli version 0.1.22. This incident highlights the growing need to secure the full AI development stack, including repository files, shell execution layers, and CI/CD automation logic. It also aligns with a broader trend of software supply chain attacks, including the compromise of the axios npm package in 2026, the Shai-Hulud campaign in 2025, the XZ Utils backdoor incident in 2024, and the Polyfill.io CDN hijack, all of which demonstrate how attackers increasingly target development infrastructure to distribute malicious payloads at scale.