A critical security vulnerability in Google’s Gemini CLI has been disclosed, allowing attackers to execute arbitrary code in certain CI/CD environments, particularly GitHub Actions workflows.
The issue, tracked as CVE-2026-12537, impacts multiple versions of the Gemini CLI and its related GitHub Action.
The vulnerability affects @google/gemini-cli versions before 0.39.1 and 0.40.0-preview.3, as well as google-github-actions/run-gemini-cli versions earlier than 0.1.22.
Security researchers identified that improper handling of workspace trust and tool execution policies could expose systems to remote code execution (RCE).
Gemini CLI Vulnerability
The root cause lies in how Gemini CLI previously handled “headless” environments, such as automated CI pipelines. In earlier versions, the CLI automatically trusted workspace folders when running in non-interactive mode.
This meant that configuration files, including environment variables stored in local directories such as .gemini/.env, were loaded without verification. An attacker could exploit this behavior by injecting malicious environment variables into a repository.
When a CI workflow processed untrusted input, such as a pull request, the Gemini CLI would load these variables and potentially execute arbitrary commands.
This creates a direct path to remote code execution without requiring user interaction. Additionally, a second issue involved the –yolo mode, where Gemini CLI ignored fine-grained tool allowlists.
If workflows permitted shell command execution, attackers could leverage prompt injection techniques to run unauthorized commands. This significantly increased the risk in automated pipelines handling untrusted data.
The vulnerability has been rated critical, with CVSS metrics indicating network-based exploitation, low attack complexity, and no requirement for privileges or user interaction.
Successful exploitation can result in the complete compromise of confidentiality, integrity, and availability. Notably, the flaw enables pre-sandbox host-level code execution in some CI environments.
This means attackers could escape intended restrictions and execute commands directly on the host system running the pipeline.
For instance, a malicious contributor could submit a pull request containing a crafted .gemini/.env file. If the CI pipeline uses a vulnerable version of Gemini CLI, it would automatically trust and load the file.
This could trigger execution of embedded commands, allowing the attacker to access secrets, modify build artifacts, or pivot to other systems.
Google has released patched versions addressing these issues. The updated Gemini CLI enforces explicit workspace trust in headless mode, aligning it with interactive behavior.
Configuration files are no longer loaded unless the workspace is explicitly marked as trusted. The update also ensures that tool allowlisting is enforced even in –yolo mode, preventing unrestricted command execution.
Users are strongly advised to:
Upgrade to Gemini CLI version 0.39.1 or 0.40.0-preview.3, and run-gemini-cli version 0.1.22 or later. Review CI/CD workflows that process untrusted inputs.
Set the environment variable GEMINI_TRUST_WORKSPACE to true only for trusted repositories. Implement strict tool allowlists and avoid enabling unnecessary command execution.
Tracked as advisory GHSA-wpqr-6v78-jr5g, the vulnerability was responsibly disclosed by security researchers from Novee Security and Pillar Security.
Given the widespread use of automated pipelines, this vulnerability highlights the risks of implicit trust in CI environments. It reinforces the need for strict input validation and execution controls.
