Full Report
Google’s highest security setting for its agents runs command operations through a sandbox and throttles network access, but is still vulnerable to prompt injection. The post Vuln in Google’s Antigravity AI agent manager could escape sandbox, give attackers remote code execution appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Remote Code Execution via Sandbox Escape in Google Antigravity
## CVE Details
- **CVE ID**: Not explicitly stated in the article (Research by Pillar Security)
- **CVSS Score**: Not provided (Likely "Critical" based on RCE and Sandbox Escape impact)
- **CWE**: CWE-94 (Improper Control of Generation of Code), CWE-1336 (Improper Neutralization of Special Elements Used in a Prompt)
## Affected Systems
- **Products**: Google Antigravity (AI-powered developer tool for filesystem operations)
- **Versions**: All versions prior to the February 28, 2026 patch.
- **Configurations**: Systems running in **"Secure Mode"** (Google’s highest security setting) are specifically noted as vulnerable to this bypass.
## Vulnerability Description
The vulnerability stems from a flaw in how Antigravity handles "native" system tools. While "Secure Mode" is designed to sandbox command operations and throttle network access, certain tools like `find_by_name` are classified as native system tools. These tools are executed directly by the agent before the Secure Mode protection layer can evaluate or intercept the command.
An attacker can use prompt injection to pass malicious parameters to these native tools. Because the tool reaches the shell directly, it allows for arbitrary code execution that completely bypasses the virtual sandbox environment and directory restrictions.
## Exploitation
- **Status**: PoC available (Disclosed by Pillar Security); Patched by vendor.
- **Complexity**: Medium
- **Attack Vector**: Network / Indirect (Prompt injection via compromised accounts or malicious files/web content ingested by the agent).
## Impact
- **Confidentiality**: High (Full access to the filesystem and potential data exfiltration).
- **Integrity**: High (Ability to execute arbitrary commands and modify files).
- **Availability**: High (Potential for system disruption or deletion of data).
## Remediation
### Patches
- Google released a patch for Antigravity on **February 28, 2026**. Users should ensure their agentic AI tools are updated to the latest version provided by Google.
### Workarounds
- **Input Validation**: Rigorously audit and sanitize any external data (files, web content, or documentation) before allowing an AI agent to ingest it.
- **Principle of Least Privilege**: Limit the agent's access to only the specific directories and network resources strictly required for its function, regardless of built-in "Secure Modes."
## Detection
- **Indicators of Compromise**: Unexpected shell commands being executed by the AI service account, particularly those involving `find_by_name` or other native filesystem utilities.
- **Detection Methods**: Monitor system logs for unusual subprocess spawning from the Antigravity process. Audit agent logs for "indirect prompt injection" patterns within ingested documents.
## References
- **Pillar Security Disclosure**: hxxps[://]www[.]pillar[.]security/blog/prompt-injection-leads-to-rce-and-sandbox-escape-in-antigravity
- **CyberScoop Article**: hxxps[://]cyberscoop[.]com/google-antigravity-pillar-security-agent-sandbox-escape-remote-code-execution/