Critical Gemini CLI Vulnerability Allows Arbitrary Code Execution in CI/CD Environments
A critical vulnerability (CVE-2026-12537) in Google's Gemini CLI and its GitHub Action enables arbitrary code execution in CI/CD pipelines, impacting versions prior to 0.39.1 and 0.1.22 respectively.
Google's Gemini Command Line Interface (CLI) and its associated GitHub Action have been found to contain a critical vulnerability, tracked as CVE-2026-12537, that permits attackers to execute arbitrary code within CI/CD environments. This flaw poses a significant risk to automated build and deployment pipelines, particularly those utilizing GitHub Actions.
The vulnerability stems from an improper handling of workspace trust and tool execution policies within the Gemini CLI. In earlier versions, specifically those prior to @google/gemini-cli 0.39.1 and 0.40.0-preview.3, and the google-github-actions/run-gemini-cli action before version 0.1.22, the CLI would automatically trust workspace folders when operating in non-interactive, or "headless," modes. This implicit trust meant that configuration files, such as environment variable files found in local directories like .gemini/.env, could be loaded and processed without thorough verification.
Attackers can exploit this weakness by injecting malicious environment variables into a repository. When a CI workflow, especially one triggered by untrusted input such as a pull request, processes these malicious configurations, the vulnerable Gemini CLI would load the compromised environment variables. This process can lead to the execution of arbitrary commands, granting attackers a direct pathway to remote code execution (RCE) without requiring any user interaction.
Further exacerbating the risk, a secondary issue was identified concerning the --yolo mode within the Gemini CLI. In this mode, the tool previously ignored fine-grained tool allowlists. If CI workflows permitted the execution of shell commands, attackers could leverage prompt injection techniques to bypass these restrictions and run unauthorized commands. This significantly amplifies the danger in automated pipelines that handle potentially untrusted data sources.
The vulnerability has been assigned a critical severity rating, with CVSS metrics indicating that it can be exploited over the network with low attack complexity and without requiring any privileges or user interaction. Successful exploitation could lead to a complete compromise of confidentiality, integrity, and availability of the affected systems. In some CI environments, the flaw allows for pre-sandbox host-level code execution, enabling attackers to break out of intended restrictions and execute commands directly on the underlying host system running the pipeline.
For instance, a malicious actor could submit a pull request containing a specially crafted .gemini/.env file. If the CI pipeline utilizes a vulnerable version of the Gemini CLI, it would automatically load this file, potentially triggering the execution of embedded malicious commands. This could allow the attacker to steal sensitive secrets, tamper with build artifacts, or use the compromised pipeline as a pivot point to attack other systems within the network.
Google has since released patched versions of the Gemini CLI and its GitHub Action to address these critical issues. The updated Gemini CLI now enforces explicit workspace trust in headless mode, mirroring the behavior of interactive sessions, and configuration files are only loaded if the workspace is explicitly marked as trusted. The update also ensures that tool allowlisting is strictly enforced, even when the --yolo mode is active, thereby preventing unrestricted command execution.
Users are strongly advised to upgrade to Gemini CLI version 0.39.1 or 0.40.0-preview.3, and run-gemini-cli version 0.1.22 or later. Additionally, organizations should review their CI/CD workflows, ensure that the GEMINI_TRUST_WORKSPACE environment variable is set to true only for trusted repositories, and implement strict tool allowlisting practices. This vulnerability underscores the ongoing risks associated with implicit trust in CI environments and highlights the critical need for robust input validation and execution controls in automated systems.