{"id":761,"date":"2026-04-30T07:50:51","date_gmt":"2026-04-30T07:50:51","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=761"},"modified":"2026-04-30T07:50:51","modified_gmt":"2026-04-30T07:50:51","slug":"google-fixes-cvss-10-gemini-cli-ci-rce-and-cursor-flaws-enable-code-execution","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=761","title":{"rendered":"Google Fixes CVSS 10 Gemini CLI CI RCE and Cursor Flaws Enable Code Execution"},"content":{"rendered":"<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhoqSVEXaseT8C79cbC1Wjec2TiF4nMK72XiCPL3WBxqwNy9iUk5CSEqSXgwJFRug0zXq5foMAXzMYCSIP0nEnr-CxCeYFgjmVcOfPtK4nocQaGDzIFecL9SScOScUhVAgGkff6wO5ks-sqWA_KCEZnfrQhfViSGai-g0MOd2IHOYX_N03JvwIipkQ1gso7\/s1700-e365\/gemini-cursor.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>Google has addressed a maximum severity security flaw in Gemini CLI &#8212; the \u00ab@google\/gemini-cli\u00bb npm package and the \u00abgoogle-github-actions\/run-gemini-cli\u00bb GitHub Actions workflow &#8212; that could have allowed attackers to execute arbitrary commands on host systems.<\/p>\n<p>\u00abThe vulnerability allowed an unprivileged external attacker to force their own malicious content to load as Gemini configuration,\u00bb Novee Security <a href=\"https:\/\/novee.security\/blog\/google-gemini-cli-rce-vulnerability-cvss-10-critical-security-advisory\/\">said<\/a> in a Wednesday report. \u00abThis triggered command execution directly on the host system, bypassing security before the agent\u2019s sandbox even initialized.\u00bb<\/p>\n<p>The shortcoming, which does not have a CVE identifier, carries a CVSS score of 10.0. It affects the following versions &#8211;<\/p>\n<ul>\n<li>@google\/gemini-cli &lt; 0.39.1<\/li>\n<li>@google\/gemini-cli &lt; 0.40.0-preview.3<\/li>\n<li>google-github-actions\/run-gemini-cli &lt; 0.1.22<\/li>\n<\/ul>\n<p>In its advisory <a href=\"https:\/\/github.com\/google-github-actions\/run-gemini-cli\/security\/advisories\/GHSA-wpqr-6v78-jr5g\">published<\/a> last week, Google said the impact is limited to workflows using Gemini CLI in headless mode, adding that any use of the tool in headless mode without folder trust will require manual review to configure this trust mechanism.<\/p>\n<p>\u00abIn previous versions, Gemini CLI running in CI environments (headless mode) automatically trusted workspace folders for the purpose of loading configuration and environment variables,\u00bb it said.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/ai-agentic-guide-d-3\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgKLSgj9Smgyqpn4Kj-zAzWxJG1LUku8TpOERMxD6_hmMZQtXRFYXU-NA2ocnjrRafjkLtrxujKRuBstSZ4Il5z6hOu4oa7UM1FjkNoRQqrF5MWlShygYIqpnMGxHX2RHEBh9Y40x-p4PKn3cSlaWTEwKiVBDSoJgLPzR09dmp8HBffLlIqro73HVD30D00\/s728-e100\/nudge-d-3.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>\u00abThis is potentially risky in situations where Gemini CLI runs on untrusted folders in headless mode (e.g., CI workflows that review user-submitted pull requests). If used with untrusted directory contents, this could lead to remote code execution via malicious environment variables in the local .gemini\/ directory.\u00bb<\/p>\n<p>This automatic trust of the current workspace folder meant that the tool could load any agent configuration it found without review, sandboxing, or explicit user consent. An attacker could weaponize this behavior by planting a specially crafted configuration that could pave the way for code execution on the host running the agent, effectively turning CI\/CD pipelines into supply-chain attack paths.<\/p>\n<p>The update addresses the problem by requiring folders to be explicitly trusted before configuration files can be accessed. To that end, users are being urged to review their workflows and adopt one of two approaches &#8211;<\/p>\n<p><a name=\"more\"\/><\/p>\n<ul>\n<li>If the workflow runs on trusted inputs (e.g., reviewing pull requests from trusted collaborators), set GEMINI_TRUST_WORKSPACE: &#8216;true&#8217; in the workflow.<\/li>\n<li>If the workflow runs on untrusted inputs, review Google&#8217;s guidance in <a href=\"https:\/\/github.com\/google-github-actions\/run-gemini-cli\">google-github-actions\/run-gemini-cli<\/a> to harden the workflow against malicious content, and set the environment variable.<\/li>\n<\/ul>\n<p>The tech giant also noted that it&#8217;s taking steps to harden tool allowlisting when Gemini CLI is configured to run in &#8211;yolo mode to prevent scenarios where untrusted inputs (e.g., user-submitted GitHub issues) could lead to remote code execution via prompt injection by taking advantage of the fact that the auto-approve mode would ignore any allowlist in \u00ab~\/.gemini\/settings.json\u00bb and run all tool calls automatically (including \u00abrun_shell_command\u00bb) without requiring user confirmation.<\/p>\n<p>\u00abIn version 0.39.1, the Gemini CLI policy engine now evaluates tool allowlisting under &#8211;yolo mode, which is useful for CI workflows that allowlist a few safe commands to run when processing untrusted inputs,\u00bb Google said. \u00abAs a result, some workflows that previously depended on this behavior may fail silently unless tool allowlists are modified to fit the task.\u00bb<\/p>\n<h3>Cursor Bug Leads to Code Execution<\/h3>\n<p>The disclosure comes as Novee Security also highlighted a high-severity vulnerability in the AI-powered development tool Cursor prior to version 2.5 (CVE-2026-26268, CVSS score: 8.1) that could also lead to arbitrary code execution by means of a prompt injection.<\/p>\n<p>Cursor, in an alert <a href=\"https:\/\/github.com\/cursor\/cursor\/security\/advisories\/GHSA-8pcm-8jpx-hv8r\">released<\/a> in February 2026, described it as a case of sandbox escape through .git configurations, allowing a rogue agent to set up a bare repository (\u00ab.git\u00bb) with a malicious <a href=\"https:\/\/git-scm.com\/book\/en\/v2\/Customizing-Git-Git-Hooks\">Git hook<\/a> that&#8217;s automatically fired every time a commit operation runs within the embedded repository context without requiring any user interaction.<\/p>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj6SWKCafnqKb9rAciWnARSFip7IUWZZCnyHCWBJXtLm0CGvMzfGcOdzt_Z1fhJx8xaGr2CRaXP8b5MPaQiVLbLHEqwkVjaQvIr9mX04p5MC3R_evFjnRy9cQKWY22PfIM_oNkajUWox1FrypuNGORAxVNWgnvCZ8XY5gaptTpyWXu1L-g5y9bd1L-KwVb8\/s1700-e365\/Cursor.png\" style=\"display: block;  text-align: center; clear: left; float: left;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj6SWKCafnqKb9rAciWnARSFip7IUWZZCnyHCWBJXtLm0CGvMzfGcOdzt_Z1fhJx8xaGr2CRaXP8b5MPaQiVLbLHEqwkVjaQvIr9mX04p5MC3R_evFjnRy9cQKWY22PfIM_oNkajUWox1FrypuNGORAxVNWgnvCZ8XY5gaptTpyWXu1L-g5y9bd1L-KwVb8\/s1700-e365\/Cursor.png\" alt=\"\" border=\"0\" data-original-height=\"513\" data-original-width=\"1024\"\/><\/a><\/div>\n<p>The end result is auto-approved arbitrary code execution on the victim&#8217;s machine through the following sequence of actions &#8211;<\/p>\n<ul>\n<li>User clones a public GitHub repository with the embedded bare repository containing a malicious post-checkout hook<\/li>\n<li>User opens the repository in CursorIDE<\/li>\n<li>Users ask an innocuous prompt to \u00abexplain the codebase\u00bb<\/li>\n<li>Cursor agent parses the <a href=\"https:\/\/agents.md\/\">AGENTS.md<\/a> that instructs it to navigate to the bare repository and performs a \u00abgit checkout\u00bb of the master branch<\/li>\n<li>The post-checkout hook inside the bare repository is triggered, leading to code execution.<\/li>\n<\/ul>\n<p>\u00abThe root cause is not a flaw in Cursor&#8217;s core product logic, but rather a consequence of a feature interaction in Git, one that becomes exploitable the moment an AI agent starts autonomously executing Git operations inside a repository it doesn&#8217;t control,\u00bb security researcher Assaf Levkovich <a href=\"https:\/\/novee.security\/blog\/cursor-ide-cve-2026-26268-git-hook-arbitrary-code-execution\/\">said<\/a>.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/fast-response-not-fast-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjgi9mu68zRUz1nCLLKmkAA2aBtNfP_JOTXulZoB6yImso1Onk7oM_LI0kdROu8fq5S5oDyMtd1j50W44Ye_8Sl3zQZiE8A9tmFr6kejGKjGh74uoxluF-RyBq_unDQlzjXZHCqQeuYXBoogda5zf0w-zXd6v0rIM7fEw6TcFf_QGWBu5Mop-djkEaOUa5A\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>\u00abWhen the agent runs git checkout as part of fulfilling a routine request, it is not doing anything the user didn&#8217;t implicitly authorize. But neither the user nor the agent has visibility into what the repository&#8217;s Cursor Rules have set in motion. A malicious pre-commit hook embedded in a nested bare repository executes silently, outside the agent&#8217;s reasoning chain and outside the user\u2019s field of view.\u00bb<\/p>\n<p>The findings also coincide with the discovery of another high-severity access control vulnerability in the IDE (CVSS score: 8.2) that could allow any installed extension to access sensitive API keys and credentials stored locally in an SQLite database, enabling account takeover, data exposure, and financial loss stemming from unauthorized API usage. The issue, codenamed <a href=\"https:\/\/layerxsecurity.com\/blog\/cursorjacking-every-cursor-user-is-vulnerable-to-api-key-theft-by-rogue-extensions\/\">CursorJacking<\/a> by LayerX, remains unpatched.<\/p>\n<p>\u00abCursor does not enforce access control boundaries between extensions and this database,\u00bb LayerX researcher Roy Paz said. \u00abExploitation of this vulnerability can lead to exposure of session tokens and API keys, unauthorized access to Cursor backend services, and data theft via user impersonation.\u00bb<\/p>\n<p>Cursor has maintained that the access is limited to the local machine where the user has already installed and granted permissions to the extension, meaning any rogue extension with local file system access could potentially extract valuable information from various application data stores. To counter the threat, it&#8217;s essential that users stick to downloading trusted extensions.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Google has addressed a maximum severity security flaw in Gemini CLI &#8212; the \u00ab@google\/gemini-cli\u00bb npm package and the \u00abgoogle-github-actions\/run-gemini-cli\u00bb GitHub Actions workflow &#8212; that could have allowed attackers to execute&hellip;<\/p>\n","protected":false},"author":1,"featured_media":762,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[216,10,1472,497,369,13,655,11,282,2,316],"class_list":["post-761","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-cli","tag-code","tag-cursor","tag-cvss","tag-enable","tag-execution","tag-fixes","tag-flaws","tag-gemini","tag-google","tag-rce"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/761","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=761"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/761\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/762"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=761"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=761"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=761"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}