Google Fixes CVSS 10 Gemini CLI Vulnerability Enabling GitHub Issue-Based RCE
Major Security Vulnerability in Google’s Gemini CLI 🚨
A significant security vulnerability recently threatened Google’s official Gemini-cli repository and its associated GitHub Actions, risking a total takeover. Researchers from Pillar Security discovered a method to compromise this popular project, which boasts over 101,000 stars on GitHub. They indicated that a threat actor could exploit this flaw to execute a full supply chain compromise. The severity of the vulnerability earned it a CVSS 10 rating.
According to the findings, the issue stemmed not from the AI model itself but from the system’s architecture. The team, led by Dan Lisichkin, revealed that a hacker could gain control of the repository merely by opening a public Issue on GitHub.
The Investigation Begins 🔍
The investigation was initiated when automated scanners flagged a vulnerability in Google’s Google/draco repository, attributed to Gemini running in -yolo mode. This dangerous setting permits the gemini-cli agent to auto-approve shell commands and tool calls without human confirmation, paving the way for an attack method dubbed TrustIssues. This method utilized a technique known as prompt injection.
With Gemini set to automatically read and label incoming GitHub issues while in -yolo mode, a cyberattacker could conceal secret commands within the text of an issue. When Gemini processed the message, it would halt its normal operations and execute the attacker’s hidden shell commands instead.
The Lethal Trifecta ⚠️
Further investigation unveiled a lethal trifecta that facilitated the attack: a tool’s access to private data, the ability to read untrusted content from the public, and communication with external servers. Although Google attempted to restrict GitHub tokens from the AI agent, these keys were still stored on the computer’s disk. Specifically, a tool called actions/checkout saved these credentials in a file named .git/config. Gemini was misled into reading this file and transmitting the keys to the hacker.
Proof of Concept Demonstrated 💻
In a proof-of-concept, researchers illustrated the entire attack chain, showcasing how a threat actor could escalate privileges after stealing the initial keys. By utilizing the stolen data to trigger other tasks like smoke-test.yml, the attacker ultimately gained write permissions, enabling them to modify the actual code in the gemini-cli repository.
Following the initial report by Pillar Security on April 16, 2026, regarding the Google/draco repository, the team demonstrated this complete attack on gemini-cli on April 20, prompting Google to release security advisory GHSA-wpqr-6v78-jr5g and software patches by April 24, 2026. The flaw is now patched in Gemini CLI (version 0.39.1) and run-gemini-cli (version 0.1.22), which restrict the commands the AI agent can execute, even in -yolo mode.
For more details, check out the full article: Read full article