The Gemini CLI flaw automatically trusted workspace folders in headless CI mode, while the Cursor bug exploited Git hooks triggered by AI agents analyzing repositories.
Google has addressed a maximum severity security flaw in Gemini CLI (the “@google/gemini-cli” npm package and the “google-github-actions/run-gemini-cli” GitHub Actions workflow) that could have allowed attackers to execute arbitrary commands on host systems. The vulnerability, which carries a CVSS score of 10.0, represents one of the most critical AI supply chain risks discovered to date.
According to Novee Security, “the vulnerability allowed an unprivileged external attacker to force their own malicious content to load as Gemini configuration. This triggered command execution directly on the host system, bypassing security before the agent’s sandbox even initialized.” The flaw does not have a CVE identifier but carries the maximum CVSS severity rating.
The shortcoming affects versions of @google/gemini-cli prior to the latest release. In its advisory published on GitHub, Google said the impact is limited to workflows using Gemini CLI in headless mode, adding that any use of the tool in headless mode without folder trust will require manual review to configure this trust mechanism.
“In previous versions, Gemini CLI running in CI environments (headless mode) automatically trusted workspace folders for the purpose of loading configuration and environment variables,” Google stated. “This is potentially risky in situations where Gemini CLI runs on untrusted folders in headless mode (e.g., CI workflows that review user-submitted pull requests). If used with untrusted directory contents, this could lead to remote code execution via malicious environment variables in the local .gemini/ directory.”
This automatic trust of the current workspace folder meant that the tool could load any agent configuration it found without review, sandboxing, or explicit user consent. An attacker could weaponize this behavior by planting a specially crafted configuration that could pave the way for code execution on the host running the agent, effectively turning CI/CD pipelines into supply-chain attack paths.
The update addresses the problem by requiring folders to be explicitly trusted before configuration files can be accessed. Users are urged to review their workflows and adopt one of two approaches:
- Trusted inputs: If the workflow runs on trusted inputs (e.g., reviewing pull requests from trusted collaborators), set
GEMINI_TRUST_WORKSPACE: 'true'in the workflow. - Untrusted inputs: If the workflow runs on untrusted inputs, review Google’s guidance to harden the workflow against malicious content.
Google also noted it is taking steps to harden tool allowlisting when Gemini CLI is configured to run in –yolo mode to prevent scenarios where untrusted inputs (e.g., user-submitted GitHub issues) could lead to remote code execution via prompt injection. In version 0.39.1, the Gemini CLI policy engine now evaluates tool allowlisting under –yolo mode, which is useful for CI workflows that allowlist a few safe commands when processing untrusted inputs.
Separately, Novee Security highlighted a high-severity vulnerability in the AI-powered development tool Cursor prior to version 2.5 (CVE-2026-26268, CVSS 8.1) that could also lead to arbitrary code execution by means of a prompt injection chain.
Cursor described it as a case of sandbox escape through .git configurations, allowing a rogue agent to set up a bare repository (.git) with a malicious Git hook that is automatically fired every time a commit operation runs within the embedded repository context without requiring any user interaction.
The attack chain works as follows:
- The user clones a public GitHub repository containing a bare repository with a malicious post-checkout hook
- The user opens the repository in Cursor IDE
- The user asks an innocuous prompt to “explain the codebase”
- Cursor’s agent parses an AGENTS.md that instructs it to navigate to the bare repository and perform a “git checkout”
- The post-checkout hook is triggered, leading to code execution
Security researcher Assaf Levkovich noted: “The root cause is not a flaw in Cursor’s core product logic, but rather a consequence of a feature interaction in Git, one that becomes exploitable the moment an AI agent starts autonomously executing Git operations inside a repository it doesn’t control.”
A second high-severity access control vulnerability in the IDE (CVSS 8.2) could allow any installed extension to access sensitive API keys and credentials stored locally in an SQLite database, enabling account takeover, data exposure, and financial loss stemming from unauthorized API usage. The issue, codenamed CursorJacking by LayerX, currently remains unpatched.
Cursor has maintained that the access is limited to the local machine where the user has already installed and granted permissions to the extension. To counter the threat, users are advised to stick to downloading trusted extensions only.
Source: The Hacker News — Google Fixes CVSS 10 Gemini CLI CI RCE and Cursor Flaws Enable Code Ex
