Full Report
This CVSS 10.0 RCE vuln has been patched, automatically for some, so better check those workflows If you use Gemini CLI, watch out: Google has patched a CVSS 10.0 vulnerability in its command-line AI tool and is warning anyone running it in headless mode, or through GitHub Actions, to review their workflows.…
Analysis Summary
# Vulnerability: Critical RCE in Google Gemini CLI via Over-Permissive Workspace Trust
## CVE Details
- **CVE ID**: Pending (Assigned by Google, but not yet publicly listed at the time of the report)
- **CVSS Score**: 10.0 (Critical)
- **CWE**: CWE-20 (Improper Input Validation) / CWE-73 (External Control of File Name or Path)
## Affected Systems
- **Products**: Google Gemini CLI (command-line interface) and `run-gemini-cli` GitHub Action.
- **Versions**: All versions prior to 0.39.1 and 0.40.0-preview.3.
- **Configurations**: Systems running Gemini CLI in **headless mode**, automated CI/CD pipelines (such as GitHub Actions), and AI agents operating on untrusted workspace directories.
## Vulnerability Description
The vulnerability stems from an infrastructure-level flaw in how the Gemini CLI handles "workspace trust." In headless mode, the tool automatically assumed all workspace folders were trusted. This allowed the CLI to silently load and execute configuration files and environment variables from a local `.gemini/` directory without user intervention. An attacker could place malicious configurations in a repository; when the Gemini CLI processed that directory in an automated workflow, it would trigger Remote Code Execution (RCE) before any security sandboxing was initialized.
## Exploitation
- **Status**: PoC available (Writeup published by Novee Security). No confirmed reports of active exploitation in the wild, though it is highly critical for supply chain security.
- **Complexity**: Low (Requires only the presence of a malicious directory).
- **Attack Vector**: Network / Local (Attacker-controlled content in a workspace folder).
## Impact
- **Confidentiality**: Total (Unprivileged access to secrets, credentials, and source code).
- **Integrity**: Total (Ability to modify source code and pivot into downstream systems).
- **Availability**: Total (Potential for full system takeover or workflow disruption).
## Remediation
### Patches
- **Gemini CLI**: Upgrade to version **0.39.1** or **0.40.0-preview.3** and later.
- **GitHub Action**: The `run-gemini-cli` action defaults to the newest release, but users should verify they are not pinned to an older, vulnerable version.
### Workarounds
- Ensure the CLI is run only in interactive mode where explicit trust prompts are required.
- Isolate CI/CD runners to prevent lateral movement if a token is compromised.
## Detection
- **Indicators of Compromise**: Presence of unexpected or unauthorized `.gemini/` directories in repositories, especially those containing executable environment variables or config overrides.
- **Detection Methods**:
- Review GitHub Action logs for failed workflows following the automatic patch (indicating a reliance on the old "automatic trust" behavior).
- Audit `tool allowlists` if using `--yolo` mode, as the new version now enforces policy evaluation even in this mode.
## References
- **Vendor Advisory**: [https]://github[.]com/google-github-actions/run-gemini-cli/security/advisories/GHSA-wpqr-6v78-jr5g
- **Researcher Writeup**: [https]://novee[.]security/blog/google-gemini-cli-rce-vulnerability-cvss-10-critical-security-advisory/
- **News Report**: [https]://www[.]theregister[.]com/2026/04/30/google_gemini_cli_vuln/