{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/gemini-clis-repository/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Gemini CLI","gemini-cli's repository","GitHub Actions"],"_cs_severities":["critical"],"_cs_tags":["supply-chain","prompt-injection","code-execution"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eA critical vulnerability was discovered in Gemini CLI, an open-source AI agent that provides terminal access to Google\u0026rsquo;s Gemini AI assistant. The vulnerability stemmed from the \u003ccode\u003e-yolo\u003c/code\u003e mode, which bypassed tool allowlists, allowing arbitrary command execution. An attacker could inject malicious prompts into a public GitHub issue within a Google repository. This could then be exploited to take over the AI agent designed to triage the issue. This could potentially lead to the extraction of internal secrets, full repository write access, and a complete supply chain compromise. At least eight Google repositories were found to have the same vulnerable workflow template deployed. The vulnerability was addressed on April 24, 2026, with the release of Gemini CLI version 0.39.1, which implements tool allowlisting in \u003ccode\u003e-yolo\u003c/code\u003e mode, and an update to the \u003ccode\u003erun-gemini-cli\u003c/code\u003e GitHub Action.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker creates a public issue on a Google-owned GitHub repository.\u003c/li\u003e\n\u003cli\u003eThe attacker embeds malicious prompts within the text of the GitHub issue.\u003c/li\u003e\n\u003cli\u003eThe AI agent (Gemini CLI) automatically triages the issue in \u003ccode\u003e-yolo\u003c/code\u003e mode.\u003c/li\u003e\n\u003cli\u003eDue to the bypassed allowlists, the injected malicious prompts are executed by the agent.\u003c/li\u003e\n\u003cli\u003eThe agent extracts internal secrets from the build environment based on attacker instructions.\u003c/li\u003e\n\u003cli\u003eThe agent sends the extracted secrets to an attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eUsing the stolen credentials, the attacker obtains a token with full write access to the repository.\u003c/li\u003e\n\u003cli\u003eThe attacker pushes arbitrary code to the main branch of the \u003ccode\u003egemini-cli\u003c/code\u003e repository, impacting all downstream users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability could have enabled a full supply chain compromise, potentially affecting all users of Gemini CLI and other repositories with the same vulnerable workflow templates. An attacker could inject malicious code into the \u003ccode\u003egemini-cli\u003c/code\u003e repository, leading to widespread distribution of compromised software. The number of affected users and systems is unknown, but the potential impact is significant given the broad use of open-source tools and the high CVSS score.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Gemini CLI version 0.39.1 or later to ensure proper tool allowlisting is enforced, as detailed in the overview.\u003c/li\u003e\n\u003cli\u003eReview GitHub Action workflows for use of the \u003ccode\u003erun-gemini-cli\u003c/code\u003e action and ensure it is updated to the latest version, mitigating the vulnerability described in the overview.\u003c/li\u003e\n\u003cli\u003eMonitor GitHub issue creation events for suspicious patterns indicative of prompt injection, helping to identify potential exploit attempts as outlined in the attack chain.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Gemini CLI Command Execution\u003c/code\u003e to detect command execution patterns associated with potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Gemini CLI Configuration File Access\u003c/code\u003e to monitor for unauthorized access to configuration files in headless mode, as mentioned in the overview.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T10:39:34Z","date_published":"2026-05-07T10:39:34Z","id":"/briefs/2026-05-gemini-cli-vuln/","summary":"A critical vulnerability in Google's Gemini CLI, an open-source AI agent, could have enabled attackers to inject malicious prompts into GitHub issues, leading to code execution and a supply chain compromise.","title":"Gemini CLI Vulnerability Leads to Potential Supply Chain Attack","url":"https://feed.craftedsignal.io/briefs/2026-05-gemini-cli-vuln/"}],"language":"en","title":"CraftedSignal Threat Feed — Gemini-Cli's Repository","version":"https://jsonfeed.org/version/1.1"}