A critical vulnerability (CVE-2026-12537) in Google Cloud Gemini CLI poses a significant risk, with a CVSS score of 10, due to its potential for unauthenticated remote code execution in CI/CD workflows. Developers using versions prior to 0.39.1 and 0.1.22 for the Gemini CLI and run-gemini-cli GitHub Action, respectively, are at risk. To mitigate, users must update to the latest versions and adjust their GitHub Actions workflows to enhance security.
The vulnerability allows attackers to exploit workspace trust issues by injecting malicious commands through environment files, potentially compromising the entire CI server.