Google Patches CVSS 10.0 Gemini CLI Flaw and Cursor Vulnerability Enabling Code Execution
Google has fixed a critical vulnerability in the Gemini CLI npm package and GitHub Actions workflow that could allow unauthenticated attackers to execute arbitrary commands in CI/CD environments, while a separate bug in the Cursor AI coding tool also enables code execution via prompt injection.
Google has patched a maximum-severity vulnerability in the Gemini CLI tool that could allow unauthenticated attackers to execute arbitrary commands on host systems in CI/CD environments. The flaw, which carries a CVSS score of 10.0, affects the @google/gemini-cli npm package and the google-github-actions/run-gemini-cli GitHub Actions workflow. According to security firm Novee Security, the vulnerability allowed an external attacker to force their own malicious configuration to load as Gemini configuration, triggering command execution before the agent's sandbox even initialized.
The issue stems from Gemini CLI's automatic trust of workspace folders when running in headless mode, which is common in CI/CD pipelines. In affected versions, the tool would automatically load configuration and environment variables from the local .gemini/ directory without user review or sandboxing. An attacker could exploit this by planting a specially crafted configuration in a repository, turning CI/CD pipelines into supply-chain attack paths. Google has addressed the problem by requiring explicit folder trust before configuration files can be accessed, and has released updated versions: @google/gemini-cli 0.39.1 and 0.40.0-preview.3, and google-github-actions/run-gemini-cli 0.1.22.
In addition to the configuration loading flaw, Google also fixed a tool allowlisting bypass in Gemini CLI's --yolo mode. This mode is designed for automated workflows but previously ignored allowlists in settings.json, running all tool calls automatically including run_shell_command. An attacker could exploit this via indirect prompt injection from untrusted inputs like GitHub issues, leading to remote code execution. The updated version 0.39.1 now evaluates tool allowlisting under --yolo mode, though Google warns that some workflows may fail silently unless allowlists are modified.
Pillar Security researcher Dan Lisichkin, who discovered the allowlisting bypass, described the vulnerability as a "lethal trifecta" combining access to private data, exposure to untrusted content, and external communication capabilities. The attack chain could start from a GitHub issue, where hidden instructions cause the AI agent to parse malicious prompts, extract workflow secrets like GITHUB_TOKEN, and exfiltrate them to an attacker-controlled server. Armed with these credentials, a threat actor could push arbitrary code to the main branch of the repository.
Separately, Novee Security also disclosed a high-severity vulnerability in the AI-powered development tool Cursor, tracked as CVE-2026-26268 with a CVSS score of 8.1. The bug affects Cursor versions prior to 2.5 and allows arbitrary code execution through a sandbox escape via .git configurations. An attacker can embed a bare repository with a malicious Git hook that automatically fires when a commit operation runs, requiring no user interaction.
The Cursor exploit chain works as follows: a user clones a public GitHub repository containing an embedded bare repository with a malicious post-checkout hook; the user opens the repository in CursorIDE and asks an innocuous prompt like "explain the codebase"; the Cursor agent parses an AGENTS.md file that instructs it to navigate to the bare repository and perform a git checkout; the post-checkout hook is triggered, leading to code execution. Security researcher Assaf Levkovich noted that the root cause is not a flaw in Cursor's core logic but a consequence of feature interaction in Git that becomes exploitable when an AI agent autonomously executes Git operations in an untrusted repository.
Both vulnerabilities highlight the growing security challenges posed by AI-powered development tools that operate with elevated privileges in CI/CD environments. As these tools gain the ability to read files, execute commands, and interact with external systems, the attack surface expands significantly. Google's fixes emphasize the need for explicit trust mechanisms and allowlisting, while the Cursor bug demonstrates how seemingly innocuous features can be chained together for full compromise. Users of both tools are urged to update to the latest versions immediately and review their workflow configurations to ensure they are not exposed to similar attacks.