A critical vulnerability in Gemini CLI could have enabled a supply-chain attack by allowing attackers to inject malicious prompts into a GitHub issue and take over the AI agent used to triage those issues, according to Pillar Security. The flaw, assigned a CVSS score of 10/10 but with no CVE identifier, existed because Gemini CLI in –yolo mode would ignore tool allowlists, enabling execution of any command.
An attacker could have exploited this by posting a public issue on a Google GitHub repository and hiding malicious prompts in its text, and, because –yolo mode automatically approves all tool calls, the attacker could seize the AI agent responsible for triaging the issue.
Pillar notes that from those credentials the attacker could pivot to a token with full write access on the repository, allowing a full supply-chain compromise and the pushing of arbitrary code to the main branch of gemini-cli’s repository, which would be shipped to downstream users. Google addressed the vulnerability on 24 April 2026 in Gemini CLI version 0.39.1, which also updates the _run-gemini-cli_ GitHub Action and fixes a lax trust issue affecting headless mode.