Google Gemini Flaw Exposed Private Calendar Data via Indirect Prompt Injection
Cybersecurity researchers at Miggo Security uncovered a critical vulnerability in Google Gemini that allowed attackers to bypass authorization controls and exfiltrate private meeting data through Google Calendar. The flaw, disclosed by Head of Research Liad Eliyahu, leveraged indirect prompt injection embedding malicious instructions within a seemingly harmless calendar invite.
The attack began with a threat actor sending a crafted event invite containing a hidden prompt in its description. When a user asked Gemini an innocuous question (e.g., "Do I have any meetings for Tuesday?"), the AI parsed the malicious prompt, summarizing all private meetings and embedding the data into a new calendar event visible to the attacker without any direct user interaction.
Google has since patched the issue following responsible disclosure, but the incident highlights the expanding attack surface of AI-native features. As Eliyahu noted, "AI applications can be manipulated through the very language they're designed to understand," shifting vulnerabilities from code to runtime behavior and contextual interpretation.
The disclosure follows recent AI security risks, including Varonis’ "Reprompt" attack, which demonstrated how adversaries could exfiltrate sensitive data from chatbots like Microsoft Copilot in a single click. Meanwhile, XM Cyber revealed privilege escalation flaws in Google Cloud Vertex AI and Ray, enabling attackers to hijack high-privilege service accounts and access chat sessions, LLM memories, or storage buckets.
Additional vulnerabilities surfaced across AI systems:
- The Librarian (CVE-2026-0612–0616): Flaws allowing attackers to access internal infrastructure, leak cloud metadata, and extract system prompts.
- Intent-based LLM assistants: System prompts could be exfiltrated via Base64-encoded form fields, bypassing chat interface restrictions.
- Anthropic Claude Code plugins: Malicious plugins could bypass human-in-the-loop protections and exfiltrate files via indirect prompt injection.
- Cursor IDE (CVE-2026-22708): Remote code execution via shell built-in commands, enabling environment variable manipulation.
- Vibe coding IDEs (Cursor, Claude Code, etc.): Weaknesses in SSRF, business logic, and authorization controls, with no CSRF protection or security headers in place.
The findings underscore persistent gaps in AI security, particularly in prompt injection, privilege escalation, and agentic behavior, reinforcing the need for rigorous testing and oversight in enterprise AI deployments.
Source: https://thehackernews.com/2026/01/google-gemini-prompt-injection-flaw.html
Google cybersecurity rating report: https://www.rankiteo.com/company/google
"id": "GOO1768856368",
"linkid": "google",
"type": "Vulnerability",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Technology/Software',
'location': 'Global',
'name': 'Google',
'size': 'Large',
'type': 'Technology Company'}],
'attack_vector': 'Malicious calendar invite with hidden prompt',
'data_breach': {'data_exfiltration': 'Yes',
'sensitivity_of_data': 'High (private calendar data)',
'type_of_data_compromised': 'Private meeting data'},
'description': 'Cybersecurity researchers at Miggo Security uncovered a '
'critical vulnerability in Google Gemini that allowed '
'attackers to bypass authorization controls and exfiltrate '
'private meeting data through Google Calendar. The flaw '
'leveraged indirect prompt injection embedding malicious '
'instructions within a seemingly harmless calendar invite. The '
'attack began with a threat actor sending a crafted event '
'invite containing a hidden prompt in its description. When a '
"user asked Gemini an innocuous question (e.g., 'Do I have any "
"meetings for Tuesday?'), the AI parsed the malicious prompt, "
'summarizing all private meetings and embedding the data into '
'a new calendar event visible to the attacker without any '
'direct user interaction.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'AI security flaw',
'data_compromised': 'Private meeting data',
'operational_impact': 'Data exfiltration without direct user '
'interaction',
'systems_affected': 'Google Gemini, Google Calendar'},
'investigation_status': 'Resolved (patched by Google)',
'lessons_learned': 'The incident highlights the expanding attack surface of '
'AI-native features, particularly in prompt injection, '
'privilege escalation, and agentic behavior. It '
'underscores the need for rigorous testing and oversight '
'in enterprise AI deployments.',
'post_incident_analysis': {'corrective_actions': 'Patch issued by Google to '
'fix the authorization '
'control bypass',
'root_causes': 'Indirect prompt injection '
'vulnerability in Google Gemini'},
'recommendations': 'Implement rigorous testing and oversight for AI systems, '
'particularly focusing on prompt injection, privilege '
'escalation, and agentic behavior vulnerabilities.',
'references': [{'source': 'Miggo Security'}],
'response': {'containment_measures': 'Patch issued by Google',
'remediation_measures': 'Vulnerability patched'},
'title': 'Google Gemini Flaw Exposed Private Calendar Data via Indirect '
'Prompt Injection',
'type': 'Indirect Prompt Injection',
'vulnerability_exploited': 'Authorization control bypass in Google Gemini'}