Gemini CLI Vulnerability Could Have Led to Code Execution, Supply Chain Attack
A critical vulnerability in Gemini CLI allowed attackers to inject malicious prompts into GitHub issues, potentially leading to full supply chain compromise. The flaw existed because the CLI's –yolo mode ignored tool allowlists, enabling execution of arbitrary commands. Attackers could exploit this by submitting crafted issues that hijack the AI agent responsible for triaging issues, extracting internal secrets and escalating privileges to push malicious code to the main repository branch. Google addressed this vulnerability in Gemini CLI version 0. 39. 1 by enforcing tool allowlisting in –yolo mode and updating related GitHub Actions. An additional trust issue in headless mode was also fixed, preventing unauthorized access to credentials and source code in CI workflows. No known exploits in the wild have been reported. The vulnerability was rated medium severity by the source but is technically critical due to its potential impact.
AI Analysis
Technical Summary
Gemini CLI, an open source AI agent interfacing with Google's Gemini AI, contained a critical security flaw where its –yolo mode bypassed tool allowlists, allowing arbitrary command execution. Attackers could exploit this by injecting malicious prompts into public GitHub issues, which the AI agent would automatically process and execute commands from, leading to extraction of internal secrets and repository takeover. This could result in supply chain attacks by pushing malicious code to the main branch, affecting all downstream users. The vulnerability also included a trust issue in headless mode that allowed unauthorized access to workspace configurations and secrets in CI environments. Google released Gemini CLI version 0.39.1 and updated the run-gemini-cli GitHub Action on April 24, 2026, to remediate these issues.
Potential Impact
Successful exploitation could lead to full compromise of the Gemini CLI repository, allowing attackers to push arbitrary code to the main branch and thereby compromise all downstream users relying on the software. Attackers could also extract internal secrets from build environments and gain full write access tokens to repositories. The trust issue in headless mode could expose credentials, secrets, and source code across continuous integration workflows, increasing the risk of supply chain attacks. No known active exploitation has been reported.
Mitigation Recommendations
Google has released an official fix in Gemini CLI version 0.39.1 that enforces tool allowlisting in –yolo mode and addresses the trust issue in headless mode. Users and organizations should update to this version immediately to mitigate the vulnerability. The run-gemini-cli GitHub Action has also been updated and should be applied. Since this is not a cloud service, patching the client software is required. Patch status is confirmed by the vendor advisory.
Gemini CLI Vulnerability Could Have Led to Code Execution, Supply Chain Attack
Description
A critical vulnerability in Gemini CLI allowed attackers to inject malicious prompts into GitHub issues, potentially leading to full supply chain compromise. The flaw existed because the CLI's –yolo mode ignored tool allowlists, enabling execution of arbitrary commands. Attackers could exploit this by submitting crafted issues that hijack the AI agent responsible for triaging issues, extracting internal secrets and escalating privileges to push malicious code to the main repository branch. Google addressed this vulnerability in Gemini CLI version 0. 39. 1 by enforcing tool allowlisting in –yolo mode and updating related GitHub Actions. An additional trust issue in headless mode was also fixed, preventing unauthorized access to credentials and source code in CI workflows. No known exploits in the wild have been reported. The vulnerability was rated medium severity by the source but is technically critical due to its potential impact.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Gemini CLI, an open source AI agent interfacing with Google's Gemini AI, contained a critical security flaw where its –yolo mode bypassed tool allowlists, allowing arbitrary command execution. Attackers could exploit this by injecting malicious prompts into public GitHub issues, which the AI agent would automatically process and execute commands from, leading to extraction of internal secrets and repository takeover. This could result in supply chain attacks by pushing malicious code to the main branch, affecting all downstream users. The vulnerability also included a trust issue in headless mode that allowed unauthorized access to workspace configurations and secrets in CI environments. Google released Gemini CLI version 0.39.1 and updated the run-gemini-cli GitHub Action on April 24, 2026, to remediate these issues.
Potential Impact
Successful exploitation could lead to full compromise of the Gemini CLI repository, allowing attackers to push arbitrary code to the main branch and thereby compromise all downstream users relying on the software. Attackers could also extract internal secrets from build environments and gain full write access tokens to repositories. The trust issue in headless mode could expose credentials, secrets, and source code across continuous integration workflows, increasing the risk of supply chain attacks. No known active exploitation has been reported.
Mitigation Recommendations
Google has released an official fix in Gemini CLI version 0.39.1 that enforces tool allowlisting in –yolo mode and addresses the trust issue in headless mode. Users and organizations should update to this version immediately to mitigate the vulnerability. The run-gemini-cli GitHub Action has also been updated and should be applied. Since this is not a cloud service, patching the client software is required. Patch status is confirmed by the vendor advisory.
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/gemini-cli-vulnerability-could-have-led-to-code-execution-supply-chain-attack/","fetched":true,"fetchedAt":"2026-05-07T10:51:22.781Z","wordCount":964}
Threat ID: 69fc6eaacbff5d8610d983df
Added to database: 5/7/2026, 10:51:22 AM
Last enriched: 5/7/2026, 10:51:35 AM
Last updated: 5/7/2026, 11:55:48 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.