Gemini CLI CVSS 10 Flaw Could Put CI/CD Workflows at Risk

by Emma Davis
May 19, 2026

Google and security researchers disclosed a CVSS 10.0 flaw in Gemini CLI this week, with public details landing on April 28, 2026 and wider coverage following on April 30, 2026.[1][2] The issue affects @google/gemini-cli and the run-gemini-cli GitHub Action when they are used in headless CI/CD workflows against untrusted content such as external pull requests.[1][2][3]

Satirical cartoon showing a rogue assistant slipping dangerous instructions into a CI pipeline
The operator waved the helper through, and the helper immediately started writing its own rules for the assembly line.

The dangerous part is not that Gemini CLI is “AI.” It is that older versions automatically trusted workspace folders in CI, which meant malicious repository content could load local .gemini/ configuration or environment data before the normal safety boundaries were in place. In the worst case, that opened a path to remote code execution on the CI host.[1][2][3]

If your pipeline reviews untrusted pull requests or issue content with Gemini automation, this is the kind of bug that turns convenience into a supply-chain problem.

What to patch

The affected versions are listed as @google/gemini-cli < 0.39.1 and google-github-actions/run-gemini-cli < 0.1.22.[1][2][3] Google’s update changes the trust model in headless mode, requires explicit workspace trust, and also hardens tool allowlisting under --yolo, where earlier builds could ignore fine-grained restrictions and end up executing broader shell commands than intended.[1][2]

If your workflow only runs on trusted inputs, Google says to review the pipeline and explicitly set GEMINI_TRUST_WORKSPACE: 'true'. If it processes untrusted pull requests, repositories, or issue content, the safer move is to keep trust disabled, upgrade immediately, and audit every place where Gemini is allowed to read repo-local configuration or invoke shell tooling.[1][3]

This one deserves attention because it sits at the intersection of AI tooling, CI/CD automation, and supply-chain exposure. A bug in a local assistant is annoying. A bug in a headless action that touches untrusted code is the kind of thing that can spill secrets, tamper with builds, or hand an attacker a foothold inside your delivery pipeline.

References

  1. Novee. Update to Gemini CLI and run-gemini-cli Trust Model.
  2. The Hacker News. Google Fixes CVSS 10 Gemini CLI CI RCE and Cursor Flaws Enable Code Execution.
  3. GitHub Security Advisory: GHSA-wpqr-6v78-jr5g.

Related update: Another AI infrastructure issue now needs review: ChromaDB CVE-2026-45829 can allow pre-auth remote code execution through malicious model loading.

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

View all posts

Leave a Comment