Google Patches Critical RCE Vulnerability in Gemini CLI and GitHub Action
Google has released urgent security updates to address a critical remote code execution (RCE) vulnerability in its Gemini CLI and associated GitHub Action, tracked as GHSA-wpqr-6v78-jr5g. The flaw, discovered by researchers Elad Meged (Novee Security) and Dan Lisichkin (Pillar Security), exposes CI/CD pipelines and software supply chains to severe exploitation risks.
The vulnerability stems from two major bypass techniques in Gemini CLI’s handling of workspace trust and tool allowlisting. In headless execution modes commonly used in GitHub Actions the tool automatically trusted workspace folders without verification, allowing attackers to inject malicious environment variables into untrusted directories. Additionally, the "Yolo" execution mode failed to enforce strict tool allowlists, enabling prompt injection attacks to bypass restrictions and execute arbitrary commands. Improper input validation further compounded the issue, leading to OS command injection vulnerabilities.
The combined weaknesses create a high-risk scenario where attackers could exploit automated workflows without user interaction or elevated privileges. Since many CI/CD pipelines process external inputs (e.g., pull requests, public GitHub issues), vulnerable versions of Gemini CLI could unknowingly execute malicious configurations, enabling:
- Arbitrary code execution on build servers
- Theft of repository secrets and credentials
- Unauthorized source code modifications
- Lateral movement into internal systems
The attack is particularly dangerous because it can be triggered remotely and without authentication, increasing its exploitation potential.
Google has mitigated the issue by redesigning Gemini CLI’s trust mechanisms, now requiring explicit trust configurations before processing workspace data in automated environments. Organizations are urged to:
- Upgrade Gemini CLI to v0.39.1 or v0.40.0-preview.3
- Update the GitHub Action to v0.1.22
- Configure explicit workspace trust settings
- Enforce strict tool allowlists for untrusted inputs
- Audit CI/CD pipelines for outdated versions
The incident highlights the critical need for strict validation controls in CI/CD pipelines to protect software supply chains from evolving threats.
Source: https://cyberpress.org/gemini-cli-vulnerability-2/
GitHub TPRM report: https://www.rankiteo.com/company/github
Google TPRM report: https://www.rankiteo.com/company/google
"id": "gitgoo1777302471",
"linkid": "github, google",
"type": "Vulnerability",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Organizations using Gemini CLI '
'v0.39.0 or earlier and GitHub '
'Action v0.1.21 or earlier in '
'CI/CD pipelines',
'industry': 'Software, Cloud Services',
'name': 'Google',
'type': 'Technology Company'}],
'attack_vector': 'Automated CI/CD pipelines, GitHub Actions workflows',
'data_breach': {'sensitivity_of_data': 'High (secrets, credentials, '
'proprietary code)',
'type_of_data_compromised': 'Repository secrets, credentials, '
'source code'},
'description': 'Google has released urgent security updates to address a '
'critical remote code execution (RCE) vulnerability in its '
'Gemini CLI and associated GitHub Action, tracked as '
'GHSA-wpqr-6v78-jr5g. The flaw exposes CI/CD pipelines and '
'software supply chains to severe exploitation risks due to '
'bypass techniques in workspace trust and tool allowlisting, '
'leading to arbitrary code execution, theft of repository '
'secrets, and unauthorized source code modifications.',
'impact': {'data_compromised': 'Repository secrets, credentials, source code',
'operational_impact': 'Unauthorized code modifications, lateral '
'movement into internal systems',
'systems_affected': 'CI/CD pipelines, build servers, software '
'supply chains'},
'lessons_learned': 'Critical need for strict validation controls in CI/CD '
'pipelines to protect software supply chains from evolving '
'threats.',
'post_incident_analysis': {'corrective_actions': ['Redesigned trust '
'mechanisms requiring '
'explicit trust '
'configurations',
'Enforced strict tool '
'allowlists for untrusted '
'inputs'],
'root_causes': ['Automatic trust of workspace '
'folders in headless execution '
'modes',
'Failure to enforce strict tool '
"allowlists in 'Yolo' execution "
'mode',
'Improper input validation leading '
'to OS command injection']},
'recommendations': ['Upgrade Gemini CLI to v0.39.1 or v0.40.0-preview.3',
'Update GitHub Action to v0.1.22',
'Configure explicit workspace trust settings',
'Enforce strict tool allowlists for untrusted inputs',
'Audit CI/CD pipelines for outdated versions'],
'references': [{'source': 'Google Security Advisory'}],
'response': {'containment_measures': 'Urgent security updates released for '
'Gemini CLI and GitHub Action',
'recovery_measures': 'Upgrade Gemini CLI to v0.39.1 or '
'v0.40.0-preview.3, update GitHub Action to '
'v0.1.22, audit CI/CD pipelines',
'remediation_measures': 'Redesigned trust mechanisms, explicit '
'workspace trust configurations, strict '
'tool allowlists'},
'title': 'Google Patches Critical RCE Vulnerability in Gemini CLI and GitHub '
'Action',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'GHSA-wpqr-6v78-jr5g (workspace trust bypass, tool '
'allowlisting bypass, improper input validation, '
'OS command injection)'}