Google Gemini Indirect Prompt Injection via Calendar Invites Leaks Private Schedule Data
Researchers reported an indirect prompt-injection issue in Google Gemini’s integration with Google Calendar that allows a malicious calendar invite to act as a dormant instruction payload. By crafting natural-language directives in an event’s description field, an attacker can cause Gemini—when later asked routine questions like “What’s my schedule today?”—to ingest the attacker-controlled event content and follow embedded instructions that result in exfiltration of private calendar details (e.g., summarizing private meetings) into attacker-visible locations such as a newly created calendar event description.
Both reports attribute the finding to Miggo Security, describing how the attack can bypass expected privacy controls by exploiting Gemini’s helpful behavior of parsing and acting on calendar data. The technique does not require traditional code execution; it relies on Gemini interpreting attacker-supplied text as instructions, enabling outcomes such as leaking sensitive meeting information and creating deceptive events. This highlights a broader risk pattern for LLM assistants embedded in productivity suites: attacker-controlled content in first-party data fields (like invites) can be weaponized to manipulate the assistant’s actions and data handling.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Researchers publicly disclose the Gemini Calendar attack technique
On January 20, 2026, multiple reports described Miggo's public disclosure of the flaw, including the attack chain, its bypass of Google's prompt defenses, and the risk of exposing private meeting details through malicious calendar invites.
Google adds mitigations and fixes the reported Gemini flaw
Google implemented mitigations for the specific exploit and later confirmed the vulnerability had been fixed, addressing the reported exposure of private Google Calendar meeting data through Gemini.
Miggo reports Gemini Calendar data-exfiltration issue to Google
After validating the attack, Miggo shared its findings with Google, describing how Gemini could be induced to summarize private meetings and write the stolen details into a newly created calendar event.
Miggo discovers Calendar invite prompt-injection flaw in Gemini
Miggo Security identified an indirect prompt-injection vulnerability in Google Gemini's Google Calendar integration, where malicious natural-language instructions embedded in a calendar invite description could remain dormant until a user asked Gemini about their schedule.
SafeBreach demonstrates earlier Calendar/Gemini prompt-injection technique
An August 2025 SafeBreach demonstration showed prior prompt-injection risks involving Google Calendar and Gemini, establishing earlier research into abusing calendar content to influence the assistant.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Calendar Spy: How "Indirect Prompt Injection" Turned Google Gemini Into a Spy
securityonline.info
Open sourceMalicious Google Calendar invites could expose private data | Malwarebytes
malwarebytes.com
Open sourceGoogle Gemini flaw allowed meeting data exposure | SC Media
scworld.com
Open sourceGemini AI assistant tricked into leaking Google Calendar data
bleepingcomputer.com
Open sourceGoogle Gemini Flaw Turns Calendar Invites Into Attack Vector
darkreading.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
GeminiJack No-Click Prompt Injection Vulnerability in Google Gemini Enterprise
Google addressed a critical vulnerability in its Gemini Enterprise AI assistant, identified as GeminiJack, which allowed attackers to exfiltrate sensitive corporate data through a no-click prompt injection attack. Discovered by Noma Labs, the flaw enabled malicious actors to embed hidden instructions within commonly shared documents, calendar invites, or emails. When an employee performed a standard search using Gemini Enterprise, the AI could automatically retrieve and execute these hidden instructions, granting attackers access to confidential information without any user interaction or warning. The vulnerability stemmed from an architectural weakness in how Gemini Enterprise and Vertex AI Search interpret and process information across integrated Workspace data sources, including Gmail, Calendar, and Docs. Attackers could leverage this flaw to extract entire document stores, calendar histories, and years of email records by simply embedding indirect prompt injections in shared artifacts. Google has since fixed the issue following responsible disclosure by Noma Security, highlighting the risks associated with integrating AI assistants into enterprise environments without robust safeguards against prompt injection attacks.
Mar 21, 2026
Google Gemini Voice Assistant Exposed to Notification-Based Prompt Injection
SafeBreach disclosed indirect prompt injection attacks against **Google Gemini’s Android voice assistant** that abuse its notification-reading capability to ingest malicious instructions from third-party apps including WhatsApp, Slack, Signal, Instagram, Messenger, and SMS. The researchers said crafted notifications can silently poison Gemini’s conversational context and manipulate responses without the user’s awareness, allowing attackers to present benign-looking content while embedding hidden or obfuscated prompts that the assistant interprets as trusted instructions. SafeBreach said its **Fake Context Alignment** technique bypassed Google’s earlier mitigations by using foreign-language text, muted hyperlinks, and other concealed prompt formats to trick backend authorization logic into treating a victim’s normal reply as approval for sensitive actions. Demonstrated impacts included phishing and social engineering using trusted contact names, smart home control, URL opening, Zoom or other cross-app actions, covert camera streaming, persistent memory poisoning across Google Workspace, and recurring surveillance tasks; Google said classifier improvements deployed after the August 2025 report mitigated the indirect prompt injection and delayed tool invocation scenarios described.
Jun 5, 2026
AI Chatbot Security Risks: Prompt Injection Data Exfiltration and Privacy Trade-offs in New Consumer Tiers
Researchers disclosed an **indirect prompt injection** technique against **Google Gemini** that used a malicious **Google Calendar invite** to bypass guardrails and exfiltrate private meeting details. By embedding a hidden natural-language payload in an event description, an attacker could cause Gemini—when later asked an innocuous scheduling question—to summarize a user’s private meetings and write that summary into a newly created calendar event; in many enterprise configurations, that new event could be visible to the attacker, enabling data theft without additional user interaction. The issue was reported as remediated after responsible disclosure, underscoring how AI assistants integrated with enterprise SaaS can create new cross-application data-extraction paths. Separately, OpenAI product rollouts raised enterprise data-handling concerns tied to consumer usage. **ChatGPT Go** (a low-cost tier) was described as introducing an **ad-supported** model that could increase exposure of conversation data and usage patterns to advertising ecosystems, amplifying “shadow AI” risk when employees use personal accounts for work. **ChatGPT Health** was positioned as a dedicated health experience with added protections (e.g., encryption/isolation and claims that user data is not used to train foundation models), but reporting highlighted unresolved questions around safety, privacy, and how sensitive health information is protected in practice—areas that may require additional governance and controls if employees adopt these tools outside approved enterprise channels.
Mar 21, 2026