A maximum-severity vulnerability has been discovered in Google’s Gemini CLI and the associated run-gemini-cli GitHub Action, exposing headless continuous integration (CI) environments to host-level code execution when processing untrusted repository content.
Tracked as CVE-2026-12537 (GHSA-wpqr-6v78-jr5g) and rated at the highest possible score under CVSS v4, the flaw stems from improper OS command handling in the container launcher and unsafe workspace trust assumptions in non-interactive environments, such as GitHub Actions pipelines.
Google Gemini CLI Flaw
According to Google’s security advisory, versions of @google/gemini-cli prior to 0.39.1 automatically trusted workspace folders when operating in headless mode.
This allowed configuration files and environment variables from the local .gemini directory to be loaded without explicit user consent or verification.
In CI workflows that review user-submitted pull requests or other untrusted repository content, this behavior created a dangerous attack path. A threat actor could plant a malicious .gemini/.env file within a submitted repository, causing it to be interpreted as legitimate configuration data.
This enabled remote code execution on the underlying CI host before any sandbox protections were applied, effectively bypassing the security boundary entirely.
The National Vulnerability Database confirms that an unprivileged attacker could achieve pre-sandbox, host-level code execution on headless CI platforms by exploiting OS command injection in the Gemini CLI container launcher in all versions before 0.39.1, and in run-gemini-cli before 0.1.22.
The vulnerability’s severity is compounded by the way Gemini CLI previously handled tool allowlisting in –yolo mode. The mode overlooked fine-grained tool restrictions defined in ~/.gemini/settings.json, meaning workflows that permitted run_shell_command while processing untrusted input were especially exposed.
Attackers could combine prompt-level manipulation with a misconfigured tool allowlist to execute arbitrary commands, transforming AI-assisted CI pipelines into a vector for supply-chain attacks with significant potential for lateral movement and data exfiltration.
CWE Classifications
The vulnerability spans multiple weakness categories:
- CWE-20 – Improper Input Validation
- CWE-77 – Command Injection
- CWE-78 – OS Command Injection
- CWE-200 – Exposure of Sensitive Information
Patches and Mitigation
Google has released hardening updates that align headless behavior with interactive mode, now requiring explicit folder trust before any configuration files including .env are processed. Patched releases include:
@google/gemini-cli0.39.1 and 0.40.0-preview.3google-github-actions/run-gemini-cli0.1.22
All prior Action workflow versions are considered implicitly affected and should be updated immediately.
For workflows processing trusted content, Google recommends setting GEMINI_TRUST_WORKSPACE: 'true' explicitly. Teams handling untrusted inputs are urged to follow the hardening guidance in the run-gemini-cli repository and enforce strict tool allowlists that remain active even in –yolo mode.
Security researchers from Novee Security and Pillar Security, acknowledged under Google’s Vulnerability Rewards Program, classify this as a CI supply-chain risk.
They urge all organizations using the Gemini CLI in CI/CD environments to immediately audit pipelines for unsafe trust assumptions and outdated versions of the Gemini CLI before attackers can operationalize the exploit against vulnerable workflows.
No Comment! Be the first one.