Google’s fix for critical Gemini CLI bug might break your CI/CD pipelines

If you use Gemini CLI, watch out: Google has patched a CVSS 10.0 vulnerability in its command-line AI tool and is warning anyone running it in headless mode, or through GitHub Actions, to review their workflows.

The update to Gemini CLI and the run-gemini-cli GitHub Action, published last week but largely unnoticed until one of the two credited research teams published its writeup on Wednesday, fixes a critical – and apparently easy-to-abuse – flaw tied to over-permissive workspace trust settings.

Per Google’s advisory published to GitHub, the issue stems from how the headless mode of Gemini CLI (frequently used in CI/CD environments and increasingly by AI agents) handles workspace folder trust: It automatically assumes any of the workspace folders it’s active in are trusted for the purpose of loading configuration files and environment variables. 

We trust you can see the problem here. 

Novee researcher Elad Meged discovered the vulnerability (independently of Pillar Security’s Dan Lisichkin, who Google also credited for the find), he told us, while studying CI/CD supply chain attack vectors. 

“This vulnerability had nothing to do with prompt injection or the model ‘deciding’ to act maliciously,” Meged told The Register in an email. “It was an infrastructure-level issue, where attacker-controlled content was silently accepted as trusted configuration and executed before any sandbox was initialized.”

Read the full article at The Register→

Originally published in The Register on April 30, 2026 by Brandon Vigliarolo