Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear
Malicious .env arrives as repo content over the network (AV:N) and runs unauthenticated with no interaction in automated CI (PR:N/UI:N); pre-sandbox host execution escapes the intended sandbox (S:C) with full host impact.
Primary rating from Vendor (GoogleCloud).
CVSS VectorVendor: GoogleCloud
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization used in an OS Command in the container launcher in Google Gemini CLI (versions prior to 0.39.1) and run-gemini-cli GitHub Action (versions prior to 0.1.22) on headless CI platforms allows an unprivileged attacker to achieve pre-sandbox host-level code execution a maliciously crafted .gemini/.env file.
AnalysisAI
Pre-sandbox host-level code execution in Google Gemini CLI (versions prior to 0.39.1) and the run-gemini-cli GitHub Action (prior to 0.1.22) allows an unprivileged attacker to run arbitrary commands on CI/CD runner hosts by planting a malicious .gemini/.env file in an untrusted workspace. In headless mode the tool automatically trusted workspace folders and loaded their environment variables before sandboxing, so a workflow that processes attacker-controlled content (for example reviewing a submitted pull request) would execute attacker-supplied commands on the host. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that Gemini CLI or the run-gemini-cli GitHub Action runs in headless (non-interactive) CI mode on a workspace whose contents are attacker-controlled, and that an attacker can place a crafted .gemini/.env file in that workspace - the prototypical case being a workflow that checks out and processes externally submitted pull requests or issues. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All severity signals point the same direction: the CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N with high confidentiality, integrity and availability impact on both the vulnerable and subsequent systems yields a maximal 10.0, reflecting unauthenticated, low-complexity, no-interaction exploitation that escapes the intended sandbox (host-level, pre-sandbox execution). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker opens a pull request to a repository whose CI uses run-gemini-cli to auto-review submissions, including a malicious .gemini/.env file in the branch. When the headless Gemini CLI auto-trusts the workspace and loads those environment variables before sandboxing, the attacker's payload executes as host-level code on the CI runner, potentially exposing repository secrets and the build environment. … |
| Remediation | Vendor-released patch: upgrade @google/gemini-cli to 0.39.1 or later (preview users to 0.40.0-preview.3 or later) and upgrade the run-gemini-cli GitHub Action to 0.1.22 or later, per advisory GHSA-wpqr-6v78-jr5g (https://github.com/google-github-actions/run-gemini-cli/security/advisories/GHSA-wpqr-6v78-jr5g). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all pipelines using affected versions of Google Gemini CLI or run-gemini-cli; pause processing of external/untrusted code through these tools. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38790
GHSA-jj69-4grx-fqj5