Gemini CLI Vulnerability Could Have Led to Code Execution, Supply Chain Attack
Summary
Gemini CLI (Google's open source AI agent for terminal access to the Gemini AI assistant) had a critical vulnerability with a CVSS score of 10/10 that could have allowed attackers to inject malicious prompts into GitHub issues, causing the AI agent to execute unauthorized commands and steal secrets from the build environment in a supply chain attack (compromising software distributed to many users). The vulnerability existed because the --yolo mode (which auto-approves all tool calls without user confirmation) ignored tool allowlists (restrictions on what actions the AI could perform), and Google fixed it in version 0.39.1 by properly enforcing those restrictions.
Solution / Mitigation
Google addressed the vulnerability on April 24 in Gemini CLI version 0.39.1, which evaluates tool allowlisting under --yolo mode. The run-gemini-cli GitHub Action was also updated. The same version resolved a separate trust issue in headless mode (where the AI runs without user interaction) that was automatically loading configuration and environment variables from the current workspace folder.
Classification
Affected Vendors
Related Issues
Original source: https://www.securityweek.com/gemini-cli-vulnerability-could-have-led-to-code-execution-supply-chain-attack/
First tracked: May 7, 2026 at 08:00 AM
Classified by LLM (prompt v3) · confidence: 95%