{"data":{"id":"10f33a5c-cc88-4c0b-903d-cc76df0d5e53","title":"Gemini CLI Vulnerability Could Have Led to Code Execution, Supply Chain Attack","summary":"Gemini CLI (Google's open source AI agent for terminal access to the Gemini AI assistant) had a critical vulnerability with a CVSS score of 10/10 that could have allowed attackers to inject malicious prompts into GitHub issues, causing the AI agent to execute unauthorized commands and steal secrets from the build environment in a supply chain attack (compromising software distributed to many users). The vulnerability existed because the --yolo mode (which auto-approves all tool calls without user confirmation) ignored tool allowlists (restrictions on what actions the AI could perform), and Google fixed it in version 0.39.1 by properly enforcing those restrictions.","solution":"Google addressed the vulnerability on April 24 in Gemini CLI version 0.39.1, which evaluates tool allowlisting under --yolo mode. The run-gemini-cli GitHub Action was also updated. The same version resolved a separate trust issue in headless mode (where the AI runs without user interaction) that was automatically loading configuration and environment variables from the current workspace folder.","labels":["security"],"sourceUrl":"https://www.securityweek.com/gemini-cli-vulnerability-could-have-led-to-code-execution-supply-chain-attack/","publishedAt":"2026-05-07T10:39:34.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":null,"severity":"critical","attackType":["prompt_injection","supply_chain"],"issueType":"news","affectedPackages":null,"affectedVendors":["Google"],"affectedVendorsRaw":["Google","Gemini CLI","GitHub"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":"2026-05-07T10:39:34.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"agent","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}