{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/run-gemini-cli-github-action/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Gemini CLI","run-gemini-cli GitHub Action"],"_cs_severities":["critical"],"_cs_tags":["rce","supply-chain","github-actions"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eGemini CLI (\u003ccode\u003e@google/gemini-cli\u003c/code\u003e) versions prior to 0.39.1 and version 0.40.0-preview.2, along with the \u003ccode\u003erun-gemini-cli\u003c/code\u003e GitHub Action versions prior to 0.1.22, are susceptible to remote code execution due to insecure workspace trust handling and tool allowlisting bypasses. The vulnerability arises from the automatic trust of workspace folders in headless mode, allowing malicious environment variables within the \u003ccode\u003e.gemini/\u003c/code\u003e directory to be exploited. Furthermore, in \u003ccode\u003e--yolo\u003c/code\u003e mode, the tool allowlist was previously ignored, enabling prompt injection and code execution via commands like \u003ccode\u003erun_shell_command\u003c/code\u003e. This poses a risk, especially in CI/CD environments that process untrusted inputs such as pull requests. The patched version 0.39.1 enforces explicit folder trust in headless mode and properly evaluates tool allowlists under \u003ccode\u003e--yolo\u003c/code\u003e, mitigating these risks. This impacts all Gemini CLI GitHub Actions and requires users to review their workflows.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker submits a malicious pull request to a repository using Gemini CLI in a GitHub Actions workflow.\u003c/li\u003e\n\u003cli\u003eThe workflow, running in headless mode, automatically trusts the workspace folder (versions prior to 0.39.1).\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s pull request includes a crafted \u003ccode\u003e.gemini/\u003c/code\u003e directory containing malicious environment variables.\u003c/li\u003e\n\u003cli\u003eGemini CLI loads the malicious environment variables, leading to code execution.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker injects a malicious prompt leveraging \u003ccode\u003erun_shell_command\u003c/code\u003e when \u003ccode\u003e--yolo\u003c/code\u003e is used.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erun_shell_command\u003c/code\u003e executes arbitrary commands on the runner due to the bypassed tool allowlist (versions prior to 0.39.1).\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the CI/CD runner, potentially exfiltrating secrets or injecting malicious code into the deployment pipeline.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation leads to code execution on the CI/CD runner, data exfiltration, or supply chain compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability impacts workflows utilizing Gemini CLI in headless mode, particularly those processing untrusted inputs such as pull requests from external contributors. Successful exploitation can lead to remote code execution on the CI/CD runner, potentially enabling attackers to exfiltrate sensitive information, such as API keys and credentials, or inject malicious code into the application deployment pipeline. This can lead to a supply chain compromise. All Gemini CLI GitHub Actions are affected, requiring users to review and update their workflows.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003e@google/gemini-cli\u003c/code\u003e to version 0.39.1 or later, or 0.40.0-preview.3 if using a preview version.\u003c/li\u003e\n\u003cli\u003eUpgrade \u003ccode\u003eactions/google-github-actions/run-gemini-cli\u003c/code\u003e to version 0.1.22 or later.\u003c/li\u003e\n\u003cli\u003eFor workflows running on trusted inputs, set \u003ccode\u003eGEMINI_TRUST_WORKSPACE: 'true'\u003c/code\u003e in the GitHub Actions workflow.\u003c/li\u003e\n\u003cli\u003eFor workflows processing untrusted inputs, review the hardening guidance in \u003ca href=\"https://github.com/google-github-actions/run-gemini-cli\"\u003egoogle-github-actions/run-gemini-cli\u003c/a\u003e and set the environment variable accordingly.\u003c/li\u003e\n\u003cli\u003eReview and harden tool allowlists in \u003ccode\u003e~/.gemini/settings.json\u003c/code\u003e to restrict the commands that can be executed, especially when using the \u003ccode\u003e--yolo\u003c/code\u003e flag.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T19:30:01Z","date_published":"2026-04-24T19:30:01Z","id":"/briefs/2026-04-gemini-cli-rce/","summary":"Gemini CLI is vulnerable to remote code execution via workspace trust and tool allowlisting bypasses, impacting headless mode and GitHub Actions workflows.","title":"Gemini CLI Remote Code Execution via Workspace Trust and Tool Allowlisting Bypasses","url":"https://feed.craftedsignal.io/briefs/2026-04-gemini-cli-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Run-Gemini-Cli GitHub Action","version":"https://jsonfeed.org/version/1.1"}