Do Son 
- CVE: CVE-2026-12537
- CVSS: 10 (Critical · CVSSv4)
- Product: Google Cloud Gemini CLI
- Affected: < 0.39.1, < 0.1.22
- Impact: Unauthenticated Remote Code Execution in Gemini CLI CI/CD Workflows
- Status: No confirmed exploitation yet
- Patched in: 0.39.1, 0.1.22
- EPSS: 0.3% (30-day)
- Action: Update to 0.39.1, 0.1.22 now
A critical Gemini CLI vulnerability (CVE-2026-12537) exposes developer workflows to maximum severity attacks. Google disclosed this CVSS 10 rating flaw recently.
TL;DR
A critical Gemini CLI vulnerability allows OS command injection in continuous integration pipelines. Attackers can execute arbitrary code by supplying a malicious environment file. Developers must update their GitHub Actions workflows immediately to secure their build environments.
Why it matters
The vulnerability carries a maximum CVSS 10 rating. The run-gemini-cli GitHub Action automates code reviews and issue triage. It acts as an autonomous agent within code repositories. A successful exploit grants attackers pre-sandbox, host-level code execution. Consequently, hackers could compromise the entire continuous integration server. This access lets attackers modify source code or steal deployment secrets. The vendor has not confirmed active exploitation in the wild. Furthermore, no public proof-of-concept code currently exists.
How the attack works
The bug heavily affects headless automated environments. Previous versions of the tool automatically trusted workspace folders. An attacker creates a maliciously crafted environment file. They submit this malicious file through a standard pull request. The container launcher improperly neutralizes the OS commands within this file. The system then executes these malicious commands during the automated workflow run. This flaw triggers code execution via prompt injection. Ultimately, this action grants the attacker unprivileged host-level access.
Affected versions
This OS command injection flaw impacts two specific Google developer tools. Both tools run vulnerable container launchers.
- Google Gemini CLI versions prior to 0.39.1
- run-gemini-cli GitHub Action versions prior to 0.1.22
Patch or mitigation steps
Administrators must review and update their continuous integration workflows. You should upgrade to the patched run-gemini-cli version 0.1.22 immediately. Users specifying manual versions must update to 0.39.1 or 0.40.0-preview.3. The update modifies how headless environments handle folder trust. Developers must now explicitly configure workspace trust.
For workflows using trusted inputs, add the workspace trust variable to your configuration file. For untrusted inputs, you must harden your workflow settings manually. You can read the official security advisory for detailed hardening guidance. Failing to update will cause existing workflows to fail silently.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
