Unrated severityNVD Advisory· Published Jun 24, 2026· Updated Jun 24, 2026

Unauthenticated Remote Code Execution in Gemini CLI CI/CD Workflows

CVE-2026-12537

Description

Improper Neutralization used in an OS Command in the container launcher in Google Gemini CLI (versions prior to 0.39.1) and run-gemini-cli GitHub Action (versions prior to 0.1.22) on headless CI platforms allows an unprivileged attacker to achieve pre-sandbox host-level code execution a maliciously crafted .gemini/.env file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Google/Gemini CLIllm-create
Range: <0.39.1
Google/run-gemini-cli GitHub Actionllm-create
Range: <0.1.22

Patches

Vulnerability mechanics

References

github.com/google-github-actions/run-gemini-cli/security/advisories/GHSA-wpqr-6v78-jr5gmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000