GeminiJack No-Click Prompt Injection Vulnerability in Google Gemini Enterprise
Google addressed a critical vulnerability in its Gemini Enterprise AI assistant, identified as GeminiJack, which allowed attackers to exfiltrate sensitive corporate data through a no-click prompt injection attack. Discovered by Noma Labs, the flaw enabled malicious actors to embed hidden instructions within commonly shared documents, calendar invites, or emails. When an employee performed a standard search using Gemini Enterprise, the AI could automatically retrieve and execute these hidden instructions, granting attackers access to confidential information without any user interaction or warning.
The vulnerability stemmed from an architectural weakness in how Gemini Enterprise and Vertex AI Search interpret and process information across integrated Workspace data sources, including Gmail, Calendar, and Docs. Attackers could leverage this flaw to extract entire document stores, calendar histories, and years of email records by simply embedding indirect prompt injections in shared artifacts. Google has since fixed the issue following responsible disclosure by Noma Security, highlighting the risks associated with integrating AI assistants into enterprise environments without robust safeguards against prompt injection attacks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Public disclosure of GeminiJack and Google's patch
Multiple security outlets reported that Google had fixed the GeminiJack zero-click flaw, which could silently exfiltrate sensitive corporate Google Workspace data without user interaction. Public reporting also detailed the indirect prompt-injection technique, affected products, and the difficulty of detecting the attack.
Google deploys architectural changes to mitigate GeminiJack
Google patched the vulnerability by changing how Gemini Enterprise and Vertex AI Search interact with indexed and retrieved data. As part of the mitigation, Vertex AI Search was separated from Gemini Enterprise and no longer shared the same RAG capabilities.
Google and Noma validate the GeminiJack exploit
After disclosure, Google worked with Noma to validate that poisoned Workspace content such as documents, emails, or calendar invites could cause Gemini to retrieve sensitive data and exfiltrate it through attacker-controlled image requests. The research established the issue as an architectural weakness in Gemini's retrieval-augmented generation workflow.
Noma Security reports GeminiJack to Google
Noma Security/Noma Labs discovered the GeminiJack zero-click prompt-injection flaw affecting Gemini Enterprise and Vertex AI Search and reported it to Google. Sources conflict on the exact report date, with references citing May 6, 2025, June 5, 2025, and August 2025 as the date Google received the report.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Google Fixes GeminiJack Zero-Click Flaw in Gemini Enterprise
thecyberexpress.com
Open sourceGeminiJack zero-click flaw in Gemini Enterprise allowed corporate data exfiltration
securityaffairs.com
Open sourceIndirect Malicious Prompt Technique Targets Google Gemini Enterprise
securityboulevard.com
Open sourceGemini Enterprise No-Click Flaw Exposes Sensitive Data
darkreading.com
Open sourceGoogle Patches AI Flaw That Turned Gemini Into a Spy
govinfosecurity.com
Open sourceGoogle Patches AI Flaw That Turned Gemini Into a Spy
bankinfosecurity.com
Open sourceNew GeminiJack 0-Click Flaw in Gemini AI Exposed Users to Data Leaks
hackread.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Google Gemini Indirect Prompt Injection via Calendar Invites Leaks Private Schedule Data
Researchers reported an **indirect prompt-injection** issue in *Google Gemini*’s integration with **Google Calendar** that allows a malicious calendar invite to act as a dormant instruction payload. By crafting natural-language directives in an event’s description field, an attacker can cause Gemini—when later asked routine questions like “What’s my schedule today?”—to ingest the attacker-controlled event content and follow embedded instructions that result in **exfiltration of private calendar details** (e.g., summarizing private meetings) into attacker-visible locations such as a newly created calendar event description. Both reports attribute the finding to **Miggo Security**, describing how the attack can bypass expected privacy controls by exploiting Gemini’s helpful behavior of parsing and acting on calendar data. The technique does not require traditional code execution; it relies on Gemini interpreting attacker-supplied text as instructions, enabling outcomes such as leaking sensitive meeting information and creating deceptive events. This highlights a broader risk pattern for LLM assistants embedded in productivity suites: attacker-controlled content in first-party data fields (like invites) can be weaponized to manipulate the assistant’s actions and data handling.
Mar 21, 2026
Google Gemini Voice Assistant Exposed to Notification-Based Prompt Injection
SafeBreach disclosed indirect prompt injection attacks against **Google Gemini’s Android voice assistant** that abuse its notification-reading capability to ingest malicious instructions from third-party apps including WhatsApp, Slack, Signal, Instagram, Messenger, and SMS. The researchers said crafted notifications can silently poison Gemini’s conversational context and manipulate responses without the user’s awareness, allowing attackers to present benign-looking content while embedding hidden or obfuscated prompts that the assistant interprets as trusted instructions. SafeBreach said its **Fake Context Alignment** technique bypassed Google’s earlier mitigations by using foreign-language text, muted hyperlinks, and other concealed prompt formats to trick backend authorization logic into treating a victim’s normal reply as approval for sensitive actions. Demonstrated impacts included phishing and social engineering using trusted contact names, smart home control, URL opening, Zoom or other cross-app actions, covert camera streaming, persistent memory poisoning across Google Workspace, and recurring surveillance tasks; Google said classifier improvements deployed after the August 2025 report mitigated the indirect prompt injection and delayed tool invocation scenarios described.
Jun 5, 2026
Google Chrome Gemini AI Agent Enhanced to Counter Prompt Injection Attacks
Google has acknowledged the significant risk of prompt injection attacks targeting its Gemini-powered Chrome browsing agent, which can be manipulated to perform unauthorized actions such as initiating financial transactions or exfiltrating sensitive data. In response, Google has introduced a second AI model, termed the 'user alignment critic,' designed to independently vet the agent's proposed actions before execution. This model operates in isolation from untrusted web content, providing an additional layer of defense against both goal hijacking and data leakage. The move comes as prompt injection has been identified as a leading vulnerability in AI systems, with industry bodies like OWASP and the UK's National Cyber Security Centre highlighting its prevalence and difficulty to mitigate due to the structural limitations of large language models. The Gemini-powered browsing agent, currently in preview, is capable of navigating websites, clicking buttons, and filling forms while users are logged into sensitive accounts, increasing the potential impact of successful attacks. Security experts and analysts have emphasized the need for robust safeguards, as malicious instructions can be hidden in web pages, iframes, or user-generated content. Google's dual-model approach aims to address these concerns by ensuring that any action not aligned with the user's intent is blocked, thereby reducing the risk of exploitation through prompt injection. The development reflects a broader industry trend of reassessing the security of AI-driven browsers and the need for advanced countermeasures to protect users and organizations from emerging threats.
Mar 21, 2026