Google Fixes CVSS 10 Gemini CLI CI RCE and Cursor Flaws Enable Code Execution
Summary
Google patched a critical flaw (CVSS score of 10.0, the highest severity) in Gemini CLI that allowed attackers to execute arbitrary commands by tricking the tool into loading malicious configuration files in headless mode (non-interactive environments used in CI/CD pipelines, which automate software testing and deployment). The vulnerability affected versions before 0.39.1 and 0.40.0-preview.3 of the npm package and version 0.1.22 of the GitHub Actions workflow. Separately, a high-severity flaw in Cursor (a code-writing AI tool) before version 2.5 could also enable code execution through prompt injection (tricking an AI by hiding instructions in its input).
Solution / Mitigation
Google's fix requires explicit folder trust before configuration files can be accessed. Users should review workflows and choose one of two approaches: (1) if the workflow runs on trusted inputs, set the environment variable GEMINI_TRUST_WORKSPACE: 'true' in the workflow, or (2) if it runs on untrusted inputs, review Google's guidance and set the environment variable while hardening the workflow against malicious content. Additionally, in version 0.39.1, the Gemini CLI policy engine now evaluates tool allowlisting under --yolo mode (auto-approve mode) to prevent untrusted inputs from triggering code execution via prompt injection. Users should update to @google/gemini-cli version 0.39.1 or later, @google/gemini-cli version 0.40.0-preview.3 or later, and google-github-actions/run-gemini-cli version 0.1.22 or later.
Classification
Affected Vendors
Related Issues
Original source: https://thehackernews.com/2026/04/google-fixes-cvss-10-gemini-cli-ci-rce.html
First tracked: April 30, 2026 at 08:00 AM
Classified by LLM (prompt v3) · confidence: 92%