GHSA-wpqr-6v78-jr5g: Gemini CLI: Remote Code Execution via workspace trust and tool allowlisting bypasses
Summary
Gemini CLI had two security vulnerabilities that could allow remote code execution (running malicious code on a system). First, in headless mode (non-interactive environments like CI/CD pipelines), the tool automatically trusted workspace folders and loaded configuration files without verification, which could be exploited through malicious environment variables. Second, the `--yolo` flag bypassed tool allowlisting (restrictions on what commands can run), allowing unrestricted command execution via prompt injection (tricking the AI by hiding instructions in its input). Version 0.39.1 and later now require explicit folder trust and enforce tool allowlisting even in `--yolo` mode.
Solution / Mitigation
Update to Gemini CLI version 0.39.1 or 0.40.0-preview.3. For workflows running on trusted inputs, set the environment variable `GEMINI_TRUST_WORKSPACE: 'true'` in your GitHub Actions workflow. For workflows processing untrusted inputs, review the guidance at https://github.com/google-github-actions/run-gemini-cli to harden your workflow against malicious content and set the same environment variable after implementing appropriate security measures. If you have specified a specific version of gemini_cli, upgrade to one of the patched versions and audit your workflow settings.
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-wpqr-6v78-jr5g
First tracked: April 24, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 95%