Google Patches Critical RCE Flaw in Antigravity AI IDE Allowing Sandbox Escape via Prompt Injection
Google has fixed a critical vulnerability in its Antigravity agentic IDE that allowed attackers to escape the Secure Mode sandbox and achieve remote code execution through a prompt injection attack.
Google has patched a critical remote code execution (RCE) vulnerability in its Antigravity agentic integrated development environment (IDE) that allowed attackers to bypass the product's most restrictive security configuration. Researchers at Pillar Security demonstrated a proof-of-concept prompt injection attack that exploits insufficient input sanitization in the IDE's tool-execution model, enabling arbitrary code execution without user interaction.
The flaw resides in the `find_by_name` tool's Pattern parameter, which passes user-supplied input to the underlying `fd` utility. By injecting command-line flags into the Pattern parameter, an attacker can convert a file search operation into arbitrary code execution. Because Antigravity can create files as a permitted action, the attack chain becomes: stage a malicious script, then trigger it through a seemingly legitimate search — all without additional user interaction once the prompt injection lands.
Critically, the vulnerability bypasses Antigravity's Secure Mode, which is designed to restrict network access, prevent out-of-workspace writes, and ensure all command operations run strictly under a sandbox context. According to Pillar Security's Dan Lisichkin, "None of these controls prevent exploitation, because the `find_by_name` tool call fires before any of these restrictions are evaluated." The agent treats the call as a native tool invocation, not a shell command, so it never reaches the security boundary that Secure Mode enforces.
Google acknowledged and fixed the flaw in February, shortly after Pillar reported it in January. The research team received a bug bounty for the discovery, though the amount was not disclosed. The vulnerability has not yet been assigned a CVE identifier.
Prompt injection flaws are becoming increasingly common in agentic AI tools, including ChatGPT's Atlas browser and Google Gemini AI chatbot. However, security researcher Fredrik Almroth of Detectify notes that this particular issue may be more of an IDE problem than an AI-specific one. "This is an issue across IDEs, AI or not," Almroth said. "Any time you have a primitive that reads or writes files or executes commands, there is a risk of security breaches. Making a 'fully secure' sandbox environment is virtually impossible."
Pillar Security's research also highlights a similar prompt-injection vulnerability (CVE-2026-22708) in the AI-assisted development environment Cursor, indicating that the pattern repeats across agentic IDEs when tools designed for constrained operations become attack vectors if their inputs are not strictly validated. Lisichkin warned that "the trust model underpinning security assumptions, that a human will catch something suspicious, does not hold when autonomous agents follow instructions from external content."
To address the broader class of vulnerabilities, Lisichkin argues that the industry must move beyond sanitization-based controls toward execution isolation, since "every native tool parameter that reaches a shell command is a potential injection point." Developers of AI agentic IDEs must make it mandatory to audit for this class of vulnerability to ship agentic features safely. While secure sandboxing is theoretically achievable, Almroth cautions that "having an LLM in the mix adds another layer of complexity to a challenge companies have been struggling with for years."