Gemini CLI: RCE via Workspace Trust and Tool Allowlist Bypass (GHSA-wpqr-6v78-jr5g)
Gemini CLI running in CI/CD headless mode automatically trusted workspace folders and executed configuration from them without verification. A second bypass in Yolo execution mode ignored fine-grained tool allowlists entirely. The combination let an attacker plant a malicious .gemini/settings.json in any repository processed by the agent to achieve arbitrary command execution on the build host. Researchers Elad Meged (Novee Security) and Dan Lisichkin (Pillar Security) discovered both bypasses. GitHub rated the advisory CVSS 10.0. Google patched both the CLI and the associated GitHub Action on April 24, 2026.
What happened
Gemini CLI has two execution modes relevant to the attack. In non-interactive headless mode, used pervasively in GitHub Actions workflows, the tool previously granted automatic trust to the workspace folder it found itself in. That trust loaded local configuration and environment variables from the directory without any verification that the directory was safe to trust.
The attack path is short. An attacker who can land a malicious .gemini/settings.json in a repository processed by the agent can trigger arbitrary OS command execution when the workflow runs. The file is read during tool discovery, before any output is produced for the user. No interaction is required once the file is in place.
The second bypass is independent. Gemini CLI's Yolo execution mode was designed to allow operators to pre-approve certain tool uses. The mode failed to enforce fine-grained tool allowlists, meaning an attacker who could influence the prompt could bypass restrictions designed to prevent dangerous tool invocations. Prompt injection through untrusted issue bodies, PR descriptions, or workspace files was sufficient.
Researchers Elad Meged (Novee Security) and Dan Lisichkin (Pillar Security) disclosed both bypasses. Google published the advisory on April 24, 2026 and shipped fixes in @google/gemini-cli 0.39.1 and run-gemini-cli GitHub Action v0.1.22. GitHub rated the advisory GHSA-wpqr-6v78-jr5g at CVSS 10.0 with no CVE ID assigned at time of publication.
The PolicyLayer angle
This is the CI/CD agent attack in its cleanest form. A workflow that processes untrusted repository content, runs an AI agent with tool access, and inherits implicit workspace trust has no meaningful boundary between repository content and tool execution. The Yolo mode failure makes it worse: an operator-defined allowlist that the agent itself can be instructed to ignore is not an allowlist.
The specific controls that break the chain: require explicit workspace trust declarations that cannot be overridden by content in the workspace itself; validate tool allowlists outside the model context so that a manipulated prompt cannot expand the permitted set; scope agent tool access per workflow step rather than per session. A GitHub Actions run that processes issue bodies should not have the same tool permissions as one that processes known-good internal configuration.
The broader point is that CI/CD agents are a distinct threat surface from interactive agents. The operator is absent. The input is untrusted by definition. A policy layer that treats CI agent invocations as inherently higher-risk and enforces stricter allowlists for headless runs would have contained both bypasses independently of whether the CLI patched them.
Mitigations
Upgrade @google/gemini-cli to 0.39.1 or 0.40.0-preview.3 or later. Upgrade google-github-actions/run-gemini-cli to v0.1.22 or later. Review all GitHub Actions workflows that invoke Gemini CLI in headless mode; the trust model change is a breaking change and may require explicit trust configuration. Do not process untrusted pull request content, issue bodies, or workspace files in the same agent context that has tool execution access to secrets or the build environment.
FAQs
No CVE ID had been assigned at the time of the advisory publication (April 24, 2026). The vulnerability is tracked solely under GHSA-wpqr-6v78-jr5g in the GitHub Advisory Database.
The most severe exposure is in headless CI/CD environments like GitHub Actions, where the automatic workspace trust and absent user interaction make exploitation straightforward. The trust bypass also affects any local Gemini CLI invocation against an untrusted directory, though exploitation in interactive mode requires the user to open the malicious repository.
Operators who believed they had constrained what tools Gemini CLI could invoke by configuring an allowlist discovered that Yolo execution mode ignored those constraints. An attacker able to inject instructions into the agent's prompt context could direct the agent to use tools outside the declared allowlist, neutralising the restriction entirely.