xAI and Google Cloud: xAI Grok CLI Exposed Developer Code Through Automatic Whole-Repository Uploads

xAI and Google Cloud: xAI Grok CLI Exposed Developer Code Through Automatic Whole-Repository Uploads

xAI’s Grok Build CLI Found Transmitting Full Git Repositories by Default

Independent researcher cereblab uncovered a critical privacy issue in xAI’s Grok Build CLI (version 0.2.93), revealing that the tool transmitted entire Git repositories including unread files and commit history to xAI’s infrastructure by default. The analysis, conducted via HTTPS interception on macOS, showed that the CLI uploaded repository data even when explicitly instructed not to access files.

Key findings include:

  • Unintended Data Transmission: The CLI sent full Git bundles via POST /v1/storage, exposing complete repository history and untouched files. A test with a 12 GB repository recorded over 5 GiB of data transferred in 73 chunks before manual termination.
  • Sensitive Data Exposure: A test .env file containing simulated credentials was transmitted unredacted, appearing in both model-response requests and staged session archives.
  • Persistent Uploads: Disabling the "Improve the model" option did not stop uploads, as server settings retained trace_upload_enabled: true. Local staging in ~/.grok/upload_queue could also consume significant disk space.
  • Cloud Storage Links: Metadata pointed to a Google Cloud Storage bucket (grok-code-session-traces), though it remains unconfirmed whether xAI used the data for training.

On July 14, xAI disabled the upload mechanism server-side (disable_codebase_upload: true) and added a privacy opt-out, though the latter was described as a data-retention control rather than a transmission block. Elon Musk publicly committed to deleting previously uploaded data, but independent verification is pending.

The incident highlights risks of AI coding agents accessing sensitive codebases, underscoring the need for isolated testing and egress monitoring. The analysis relied on a controlled proxy setup to intercept and examine outbound traffic.

Source: https://gbhackers.com/xai-grok-cli-exposed-developer-code/

xAI TPRM report: https://www.rankiteo.com/company/xai

Google Cloud TPRM report: https://www.rankiteo.com/company/googleai

"id": "xaigoo1784039078",
"linkid": "xai, googleai",
"type": "Breach",
"date": "7/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Users of Grok Build CLI '
                                              '(version 0.2.93)',
                        'industry': 'Artificial Intelligence',
                        'location': 'United States',
                        'name': 'xAI',
                        'size': 'Large',
                        'type': 'Company'}],
 'attack_vector': 'Misconfigured Software',
 'customer_advisories': 'Users informed of privacy opt-out and data deletion '
                        'commitment',
 'data_breach': {'data_exfiltration': 'Yes (transmitted to xAI’s '
                                      'infrastructure via `POST /v1/storage`)',
                 'file_types_exposed': ['.git bundles',
                                        '.env',
                                        'source code files'],
                 'personally_identifiable_information': 'Simulated credentials '
                                                        '(no confirmed real '
                                                        'PII)',
                 'sensitivity_of_data': 'High (simulated credentials, '
                                        'proprietary code, commit history)',
                 'type_of_data_compromised': 'Git repositories, including '
                                             'source code, commit history, and '
                                             'configuration files (e.g., '
                                             '.env)'},
 'date_detected': '2024-07-14',
 'date_resolved': '2024-07-14',
 'description': 'Independent researcher *cereblab* uncovered a critical '
                'privacy issue in xAI’s Grok Build CLI (version 0.2.93), '
                'revealing that the tool transmitted entire Git repositories '
                'including unread files and commit history to xAI’s '
                'infrastructure by default. The CLI uploaded repository data '
                'even when explicitly instructed not to access files, exposing '
                'sensitive data such as simulated credentials in .env files '
                'and consuming significant disk space due to persistent '
                'uploads.',
 'impact': {'brand_reputation_impact': 'High (public disclosure of privacy '
                                       'risks, Elon Musk’s commitment to '
                                       'delete data)',
            'data_compromised': 'Full Git repositories, including unread '
                                'files, commit history, and sensitive data '
                                '(e.g., simulated credentials in .env files)',
            'identity_theft_risk': 'Low (simulated credentials exposed, but no '
                                   'confirmed real-world impact)',
            'legal_liabilities': 'Potential (regulatory violations due to '
                                 'unauthorized data transmission)',
            'operational_impact': 'Potential disk space exhaustion due to '
                                  'local staging in `~/.grok/upload_queue`',
            'systems_affected': 'xAI’s Grok Build CLI (version 0.2.93)'},
 'investigation_status': 'Resolved (server-side fix applied)',
 'lessons_learned': 'Risks of AI coding agents accessing sensitive codebases '
                    'without explicit consent; need for isolated testing and '
                    'egress monitoring.',
 'post_incident_analysis': {'corrective_actions': 'Server-side disablement of '
                                                  'uploads, privacy opt-out '
                                                  'addition, commitment to '
                                                  'delete uploaded data',
                            'root_causes': 'Default transmission of Git '
                                           'repositories without user consent; '
                                           'persistent upload settings '
                                           '(`trace_upload_enabled: true`)'},
 'recommendations': ['Implement explicit user opt-in for data transmission',
                     'Isolate AI tools in sandboxed environments',
                     'Monitor outbound traffic for unintended data '
                     'exfiltration',
                     'Verify server-side controls independently'],
 'references': [{'source': 'Independent researcher *cereblab*'}],
 'regulatory_compliance': {'regulations_violated': ['Potential GDPR (if EU '
                                                    'user data was exposed)',
                                                    'Potential CCPA (if '
                                                    'California user data was '
                                                    'exposed)']},
 'response': {'communication_strategy': 'Public acknowledgment via Elon Musk, '
                                        'server-side changes',
              'containment_measures': 'Server-side disablement of upload '
                                      'mechanism (`disable_codebase_upload: '
                                      'true`)',
              'recovery_measures': 'Elon Musk committed to deleting previously '
                                   'uploaded data (pending independent '
                                   'verification)',
              'remediation_measures': 'Added privacy opt-out (though described '
                                      'as data-retention control, not '
                                      'transmission block)'},
 'stakeholder_advisories': 'Users advised to check for unintended data '
                           'transmission and update CLI versions',
 'title': 'xAI’s Grok Build CLI Found Transmitting Full Git Repositories by '
          'Default',
 'type': 'Data Exposure',
 'vulnerability_exploited': 'Default transmission of full Git repositories '
                            'without explicit user consent'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.