Description
Improper Neutralization used in an OS Command in the container launcher in Google Gemini CLI (versions prior to 0.39.1) and run-gemini-cli GitHub Action (versions prior to 0.1.22) on headless CI platforms allows an unprivileged attacker to achieve pre-sandbox host-level code execution a maliciously crafted .gemini/.env file.
Published: 2026-06-24
Score: 10 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of an operating‑system command in the container launcher of Gemini CLI and its GitHub Action allows an attacker to inject a malicious .gemini or .env file, resulting in pre‑sandbox, host‑level code execution. The flaw comes from accepting untrusted data without validation, enabling an unprivileged attacker to run arbitrary commands on the CI host machine.

Affected Systems

Google Cloud Gemini CLI (versions before 0.39.1) and the run‑gemini‑cli GitHub Action (versions before 0.1.22) on headless CI platforms are affected. Users of these tools that rely on CI environments run by non‑privileged pipelines are at risk.

Risk and Exploitability

The vulnerability was scored CVSS 10, indicating a critical impact. While no EPSS score is available, the lack of a KEV listing does not reduce the likelihood of exploitation, because the attack vector is a supply‑chain style injection of a crafted file that can be included in any CI workflow. An unprivileged attacker who can influence the contents of the .gemini/.env file on a CI host can achieve host‑level code execution, breaking confidentiality, integrity, and availability of the build environment.

Generated by OpenCVE AI on June 24, 2026 at 14:50 UTC.

Remediation

Vendor Solution

Ensure you are using the latest version of gemini cli and follow the best practices guide https://github.com/google-github-actions/run-gemini-cli/blob/main/docs/trust-guidance.md .

OpenCVE Recommended Actions

  • Upgrade Gemini CLI to version 0.39.1 or later and run‑gemini‑cli GitHub Action to version 0.1.22 or later
  • Review and restrict CI workflow configuration to ensure that only trusted sources can supply .gemini or .env files
  • Follow the best practices guide at https://github.com/google-github-actions/run-gemini-cli/blob/main/docs/trust-guidance.md to enforce sandboxing and limit command execution privileges

Generated by OpenCVE AI on June 24, 2026 at 14:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Google Cloud
Google Cloud gemini Cli
Google Cloud run-gemini-cli Github Action
Vendors & Products Google Cloud
Google Cloud gemini Cli
Google Cloud run-gemini-cli Github Action

Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization used in an OS Command in the container launcher in Google Gemini CLI (versions prior to 0.39.1) and run-gemini-cli GitHub Action (versions prior to 0.1.22) on headless CI platforms allows an unprivileged attacker to achieve pre-sandbox host-level code execution a maliciously crafted .gemini/.env file.
Title Unauthenticated Remote Code Execution in Gemini CLI CI/CD Workflows
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/U:Clear'}

Subscriptions

Google Cloud Gemini Cli Run-gemini-cli Github Action
cve-icon MITRE

Status: PUBLISHED

Assigner: GoogleCloud

Published:

Updated: 2026-06-24T13:53:24.904Z

Reserved: 2026-06-17T15:08:00.562Z

Link: CVE-2026-12537

cve-icon Vulnrichment

Updated: 2026-06-24T13:52:36.223Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:40:47Z

Weaknesses
  • CWE-20

    Improper Input Validation