Max-severity RCE flaw found in Google Gemini CLI
Summary
A maximum-severity vulnerability in Google Gemini CLI allowed remote code execution (RCE, where attackers can run commands on a system they don't own) when the tool processed untrusted inputs in automated environments like CI/CD pipelines (automated workflows that test and deploy code). The flaw occurred because the CLI automatically trusted workspace configurations without verification, letting attackers inject malicious code that would execute before security protections kicked in.
Solution / Mitigation
The issue was fixed in @google/gemini-cli versions 0.39.1 and 0.40.0-preview.3, and in run-gemini-cli version 0.1.22. The patches removed implicit workspace trust in headless (non-interactive) environments and now require explicit trust decisions before loading workspace configurations. Additionally, the fix enforces stricter tool allowlisting (a list of permitted commands) to prevent command execution outside intended restrictions. Workflows that pin a specific gemini-cli version are advised to upgrade to a patched release and review their existing Gemini CLI configurations.
Classification
Affected Vendors
Related Issues
Original source: https://www.csoonline.com/article/4165470/max-severity-rce-flaw-found-in-google-gemini-cli.html
First tracked: April 30, 2026 at 08:00 AM
Classified by LLM (prompt v3) · confidence: 95%