A significant vulnerability has been discovered in the Google Gemini Command Line Interface (CLI) and its associated GitHub Actions, which has been assigned the highest severity score of CVSS 10.0. This flaw allows external attackers to execute arbitrary commands directly on host systems, posing a major threat to automated CI/CD pipelines and potentially turning them into attack vectors within the software supply chain. Unlike standard AI-related exploits, this vulnerability arises from an infrastructure-level issue and occurs before the AI agent's sandbox can be activated. The problem stems from the way the Gemini CLI manages workspace trust in non-interactive, headless environments typical during CI/CD jobs. In these situations, the CLI automatically trusts the workspace folder, loading any agent configuration present without requiring user consent or security vetting. This means an attacker could introduce a malicious configuration file into a repository's workspace via a pull request, leading to immediate and unauthorized code execution on the host machine executing the workflow. Such execution provides attackers with access to secrets, cloud credentials, and source code, enabling token theft and potential lateral movements into downstream production environments. Google has issued patches to rectify this critical vulnerability, and it is imperative that administrators update their systems without delay to mitigate the risk of exploitation. Research by Novee highlights that AI coding agents typically operate within development pipelines with the same privileges as trusted contributors, highlighting the profound supply chain risks posed by vulnerabilities in AI infrastructure. The Gemini CLI flaw underscores the necessity of securing the entire development process, from models and shell tools to repository files and deployment workflows, as threat actors increasingly target these pipelines to disseminate malicious payloads.
Critical Flaw in Google Gemini CLI Poses Severe Security Risks
A maximum severity remote code execution flaw in the Gemini CLI and related GitHub Actions could allow attackers to run code on host systems. Apply patches immediately.


