SECURITYWEEK reports a critical remote code execution flaw in Gemini CLI, an open source AI agent that provides lightweight access to Gemini from a terminal, which could allow an attacker to run commands on the host by planting a malicious configuration in the workspace folder before sandbox initialisation.
According to Novee Security researchers, Gemini CLI automatically trusted the current workspace, loading agent configurations without review or human approval, enabling potential host execution of arbitrary commands. The researchers said that, across affected workflows, the impact was consistent: code execution on the host could give an unprivileged outsider access to secrets, credentials, and source code reachable by the workflow.
They warned that a threat actor could have exploited the flaw to steal tokens and move laterally to downstream systems, and noted in the CI/CD context that this could facilitate a supply chain attack. The vulnerability has been patched by Google in both Gemini CLI and the run-gemini-cli GitHub Action, according to SecurityWeek’s reporting, with the disclosure attributed to Novee researchers. The piece was written by Eduard Kovacs on 30 April 2026.