{"data":{"id":"732bd4eb-0a4b-4fc7-8ed1-19176dd57989","title":"GHSA-wpqr-6v78-jr5g: Gemini CLI: Remote Code Execution via workspace trust and tool allowlisting bypasses","summary":"Gemini CLI had two security vulnerabilities that could allow remote code execution (running malicious code on a system). First, in headless mode (non-interactive environments like CI/CD pipelines), the tool automatically trusted workspace folders and loaded configuration files without verification, which could be exploited through malicious environment variables. Second, the `--yolo` flag bypassed tool allowlisting (restrictions on what commands can run), allowing unrestricted command execution via prompt injection (tricking the AI by hiding instructions in its input). Version 0.39.1 and later now require explicit folder trust and enforce tool allowlisting even in `--yolo` mode.","solution":"Update to Gemini CLI version 0.39.1 or 0.40.0-preview.3. For workflows running on trusted inputs, set the environment variable `GEMINI_TRUST_WORKSPACE: 'true'` in your GitHub Actions workflow. For workflows processing untrusted inputs, review the guidance at https://github.com/google-github-actions/run-gemini-cli to harden your workflow against malicious content and set the same environment variable after implementing appropriate security measures. If you have specified a specific version of gemini_cli, upgrade to one of the patched versions and audit your workflow settings.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-wpqr-6v78-jr5g","publishedAt":"2026-04-24T19:30:01.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"critical","severity":"critical","attackType":["prompt_injection","supply_chain"],"issueType":"vulnerability","affectedPackages":["google-github-actions/run-gemini-cli@< 0.1.22 (fixed: 0.1.22)","@google/gemini-cli@= 0.40.0-preview.2 (fixed: 0.40.0-preview.3)","@google/gemini-cli@< 0.39.1 (fixed: 0.39.1)"],"affectedVendors":["Google"],"affectedVendorsRaw":["Google Gemini CLI","Gemini","Google"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":true,"disclosureDate":"2026-04-24T19:30:01.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"api","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}