GOOGLE has fixed a maximum severity security flaw in Gemini CLI and related GitHub Actions that could have allowed an attacker to execute code on a host, with Novee Security describing the issue as a CVSS 10.0 RCE vulnerability that could load malicious Gemini configuration and bypass the agent’s sandbox. The flaw affects @google/gemini-cli versions before 0.39.1 and 0.40.0-preview.3, and google-github-actions/run-gemini-cli before 0.1.22, and it carries no CVE identifier.
According to Google’s advisory, the impact is limited to headless workflows using Gemini CLI, and trusted-folder reviews are required to configure the trust mechanism; two mitigation approaches are suggested: set GEMINI_TRUST_WORKSPACE: 'true' for trusted inputs, or review Google's guidance to harden workflows and set the appropriate environment variables.
The update also introduces stricter tool allowlisting in --yolo mode to prevent remote code execution via untrusted inputs, noting that some workflows may fail silently unless allowlists are adjusted. In a separate disclosure, Novee Security warned of a Cursor vulnerability (CVE-2026-26268, CVSS 8.1) that could enable prompt-injection-based code execution, and a related CursorJacking issue with CVSS 8.2 that could expose API keys and credentials stored locally.