Unrated

RCE in Google Gemini CLI and run-gemini-cli GitHub Action via crafted .gemini/.env

IdentifiersCVE-2026-12537CWE-78

CVE-2026-12537 is a critical unauthenticated remote code execution vulnerability in the container launcher of Google Gemini CLI and the related run-gemini-cli GitHub Action. It affects Google Gemini CLI versions prior to 0.39.1 (including affected preview builds noted in the source material) and run-gemini-cli versions prior to 0.1.22. The flaw is described as improper neutralization used in an OS command, enabling attacker-controlled data from a maliciously crafted .gemini/.env file to influence command execution in headless CI environments. Supporting context also indicates the issue was exacerbated by automatic workspace trust in headless mode and insufficient enforcement of tool allowlists in --yolo mode. In vulnerable CI/CD workflows, particularly those processing untrusted repository content such as pull requests, the CLI could load attacker-controlled configuration or environment data and reach pre-sandbox host-level code execution.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unprivileged remote attacker to obtain pre-sandbox host-level code execution on affected headless CI platforms. In practical terms, this can result in full compromise of the CI job and potentially the underlying runner context, including theft of CI secrets and tokens, unauthorized command execution, modification of build artifacts, tampering with pipeline outputs, and possible pivoting to connected systems or cloud resources. The available context characterizes the confidentiality, integrity, and availability impact as complete/high.

Mitigation

If you can’t patch tonight, do this now.

Until upgrades are fully deployed, avoid running affected Gemini CLI components in headless CI workflows on untrusted inputs such as external pull requests. Do not enable workspace trust for untrusted repositories; set GEMINI_TRUST_WORKSPACE=true only where the repository is explicitly trusted. Prevent loading of attacker-controlled workspace configuration files where possible, enforce strict tool allowlists, disable or avoid unnecessary shell command execution paths, and isolate CI runners and secrets exposure for jobs that process untrusted content.

Remediation

Patch, then assume compromise.

Upgrade Google Gemini CLI to version 0.39.1 or later; where applicable, use the fixed preview build 0.40.0-preview.3 or later as referenced in the supporting content. Upgrade google-github-actions/run-gemini-cli to version 0.1.22 or later. The fixes reportedly change headless behavior to require explicit workspace trust before loading configuration files such as .gemini/.env and enforce tool allowlisting even in --yolo mode. Review CI/CD workflows that invoke Gemini CLI against untrusted repository content and remove unsafe assumptions about workspace trust.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

GoogleGemini-Cliapplication

GoogleRun-Gemini-Cliapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

cyber security newsNews

Jun 29, 2026

Critical Gemini CLI Vulnerability Let Attackers Execute Arbitrary Code

A critical remote code execution vulnerability in Google Gemini CLI and its related GitHub Action caused by improper workspace trust handling in headless CI environments and allowlist bypass behavior in --yolo mode, enabling arbitrary command execution in CI/CD pipelines processing untrusted input.

cvefeed high severityNews

Jun 24, 2026

CVE-2026-12537 - Unauthenticated Remote Code Execution in Gemini CLI CI/CD Workflows

A critical unauthenticated remote code execution vulnerability in Google Gemini CLI and the run-gemini-cli GitHub Action that allows pre-sandbox host-level code execution on headless CI platforms via a malicious .gemini/.env file.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-12537

NVD

nvd.nist.gov/vuln/detail/CVE-2026-12537

MITRE CWE · CWE-78

cwe.mitre.org