Skip to main content

Google Gemini CLI CVE-2026-12537

| EUVDEUVD-2026-38790 CRITICAL
Improper Input Validation (CWE-20)
2026-06-24 GoogleCloud GHSA-jj69-4grx-fqj5
10.0
CVSS 4.0 · Vendor: GoogleCloud
Share

Severity by source

Vendor (GoogleCloud) PRIMARY
10.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear
vuln.today AI
10.0 CRITICAL

Malicious .env arrives as repo content over the network (AV:N) and runs unauthenticated with no interaction in automated CI (PR:N/UI:N); pre-sandbox host execution escapes the intended sandbox (S:C) with full host impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (GoogleCloud).

CVSS VectorVendor: GoogleCloud

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Jun 24, 2026 - 15:02 EUVD
Source Code Evidence Fetched
Jun 24, 2026 - 14:20 vuln.today
Analysis Generated
Jun 24, 2026 - 14:20 vuln.today
CVE Published
Jun 24, 2026 - 13:37 cve.org
CRITICAL 10.0

DescriptionCVE.org

Improper Neutralization used in an OS Command in the container launcher in Google Gemini CLI (versions prior to 0.39.1) and run-gemini-cli GitHub Action (versions prior to 0.1.22) on headless CI platforms allows an unprivileged attacker to achieve pre-sandbox host-level code execution a maliciously crafted .gemini/.env file.

AnalysisAI

Pre-sandbox host-level code execution in Google Gemini CLI (versions prior to 0.39.1) and the run-gemini-cli GitHub Action (prior to 0.1.22) allows an unprivileged attacker to run arbitrary commands on CI/CD runner hosts by planting a malicious .gemini/.env file in an untrusted workspace. In headless mode the tool automatically trusted workspace folders and loaded their environment variables before sandboxing, so a workflow that processes attacker-controlled content (for example reviewing a submitted pull request) would execute attacker-supplied commands on the host. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Submit malicious PR with .gemini/.env
Delivery
CI runs headless Gemini CLI
Exploit
Workspace auto-trusted, .env loaded
Execution
Crafted command reaches container launcher
Persist
Pre-sandbox code execution on runner
Impact
Steal CI secrets and pivot

Vulnerability AssessmentAI

Exploitation Exploitation requires that Gemini CLI or the run-gemini-cli GitHub Action runs in headless (non-interactive) CI mode on a workspace whose contents are attacker-controlled, and that an attacker can place a crafted .gemini/.env file in that workspace - the prototypical case being a workflow that checks out and processes externally submitted pull requests or issues. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All severity signals point the same direction: the CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N with high confidentiality, integrity and availability impact on both the vulnerable and subsequent systems yields a maximal 10.0, reflecting unauthenticated, low-complexity, no-interaction exploitation that escapes the intended sandbox (host-level, pre-sandbox execution). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker opens a pull request to a repository whose CI uses run-gemini-cli to auto-review submissions, including a malicious .gemini/.env file in the branch. When the headless Gemini CLI auto-trusts the workspace and loads those environment variables before sandboxing, the attacker's payload executes as host-level code on the CI runner, potentially exposing repository secrets and the build environment. …
Remediation Vendor-released patch: upgrade @google/gemini-cli to 0.39.1 or later (preview users to 0.40.0-preview.3 or later) and upgrade the run-gemini-cli GitHub Action to 0.1.22 or later, per advisory GHSA-wpqr-6v78-jr5g (https://github.com/google-github-actions/run-gemini-cli/security/advisories/GHSA-wpqr-6v78-jr5g). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all pipelines using affected versions of Google Gemini CLI or run-gemini-cli; pause processing of external/untrusted code through these tools. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12537 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy