CVE-2026-12537: Gemini CLI OS command injection

CISO Take

CVE-2026-12537 is a critical OS command injection flaw in Google Gemini CLI (versions prior to 0.39.1) and the run-gemini-cli GitHub Action (versions prior to 0.1.22), triggered when the container launcher parses a maliciously crafted .gemini/.env file before sandbox protections are applied. The pre-sandbox nature of exploitation is what makes this especially severe: container isolation provides zero protection, and an attacker achieves full host-level code execution with access to every CI/CD secret, cloud credential, and API key present on the runner. Any organization running Gemini CLI in CI pipelines that accept external pull requests is exposed to a straightforward supply chain attack — a contributor submits a malicious .gemini/.env file, the pipeline triggers automatically, and the host is compromised without any authentication or user interaction. Patch immediately to Gemini CLI 0.39.1+ and run-gemini-cli Action 0.1.22+, rotate all CI secrets that ran under vulnerable versions, and audit .gemini/ directories in all repositories for unexpected content.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Critical risk for any organization using Gemini CLI in CI/CD workflows. The pre-sandbox execution defeats container isolation entirely, and CI runners typically carry disproportionately powerful credentials — AWS keys, GCP service accounts, registry tokens, deploy keys, and AI service API keys. No EPSS data is yet available, but the exploit primitive is straightforward: craft a .env file and trigger a pipeline run. The GitHub Action vector significantly expands the attack surface to any public or semi-public repository using run-gemini-cli in pull-request workflows, lowering the bar for opportunistic attackers to near-zero. The single prior CVE in the gemini-cli package and the recent (2026-06-21) last push to the project suggest active development with an evolving security posture.

How does the attack unfold?

Malicious Artifact Delivery

Attacker plants a crafted .gemini/.env file in a target repository via pull request, containing OS command injection payloads targeting Gemini CLI's container launcher parsing logic.

AML.T0011.000

CI Pipeline Trigger

The victim's automated CI pipeline invokes the vulnerable run-gemini-cli GitHub Action on the pull request, launching Gemini CLI in a headless CI environment with access to runner secrets.

AML.T0010.005

Pre-Sandbox OS Command Injection

The container launcher parses the malicious .gemini/.env file before sandbox protections activate, executing the injected OS commands at host level with full runner privileges.

AML.T0050

Host Compromise and Exfiltration

Attacker achieves full host-level code execution, exfiltrating CI secrets (GITHUB_TOKEN, cloud credentials, API keys) to an external server and potentially persisting access or pivoting to production environments.

AML.T0105

Malicious Artifact Delivery

Attacker plants a crafted .gemini/.env file in a target repository via pull request, containing OS command injection payloads targeting Gemini CLI's container launcher parsing logic.

AML.T0011.000

CI Pipeline Trigger

The victim's automated CI pipeline invokes the vulnerable run-gemini-cli GitHub Action on the pull request, launching Gemini CLI in a headless CI environment with access to runner secrets.

AML.T0010.005

Pre-Sandbox OS Command Injection

The container launcher parses the malicious .gemini/.env file before sandbox protections activate, executing the injected OS commands at host level with full runner privileges.

AML.T0050

Host Compromise and Exfiltration

Attacker achieves full host-level code execution, exfiltrating CI secrets (GITHUB_TOKEN, cloud credentials, API keys) to an external server and potentially persisting access or pivoting to production environments.

AML.T0105

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Gemini CLI	npm	—	No patch
105.5K Pushed 3d ago 33% patched ~0d to patch Full package profile →
Gemini CLI	npm	—	No patch
105.5K Pushed 3d ago 33% patched ~0d to patch Full package profile →
Gemini CLI	—	—	No patch

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

7 steps

Immediately upgrade Google Gemini CLI to version 0.39.1 or later and the run-gemini-cli GitHub Action to version 0.1.22 or later — pin the Action to a specific commit SHA rather than a mutable tag.
Rotate all CI/CD secrets (GITHUB_TOKEN, cloud provider credentials, API keys, registry tokens) that were accessible in environments running vulnerable versions.
Audit all repository .gemini/ directories for unexpected or modified .env files, especially in repositories with external contributor access.
Immediately disable or quarantine run-gemini-cli workflows triggered by external pull requests until patching is confirmed.
Review CI runner logs from the past 90 days for anomalous process spawning, outbound network connections, or unexpected secret access during Gemini CLI steps.
Apply least-privilege to CI runners: avoid storing production credentials in runner environments that process AI tool workflows.
Implement repository-level policy blocking .gemini/.env files from external contributors via CODEOWNERS or branch protection rules.

How is it classified?

Code Execution Supply Chain Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0011.000 - Unsafe AI Artifacts AML.T0050 - Command and Scripting Interpreter AML.T0081 - Modify AI Agent Configuration AML.T0105 - Escape to Host

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.1.5 - AI supply chain security controls

NIST AI RMF

GOVERN 6.1 - Policies and procedures for AI supply chain risk management

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-12537?

CVE-2026-12537 is a critical OS command injection flaw in Google Gemini CLI (versions prior to 0.39.1) and the run-gemini-cli GitHub Action (versions prior to 0.1.22), triggered when the container launcher parses a maliciously crafted .gemini/.env file before sandbox protections are applied. The pre-sandbox nature of exploitation is what makes this especially severe: container isolation provides zero protection, and an attacker achieves full host-level code execution with access to every CI/CD secret, cloud credential, and API key present on the runner. Any organization running Gemini CLI in CI pipelines that accept external pull requests is exposed to a straightforward supply chain attack — a contributor submits a malicious .gemini/.env file, the pipeline triggers automatically, and the host is compromised without any authentication or user interaction. Patch immediately to Gemini CLI 0.39.1+ and run-gemini-cli Action 0.1.22+, rotate all CI secrets that ran under vulnerable versions, and audit .gemini/ directories in all repositories for unexpected content.

Is CVE-2026-12537 actively exploited?

No confirmed active exploitation of CVE-2026-12537 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-12537?

1. Immediately upgrade Google Gemini CLI to version 0.39.1 or later and the run-gemini-cli GitHub Action to version 0.1.22 or later — pin the Action to a specific commit SHA rather than a mutable tag. 2. Rotate all CI/CD secrets (GITHUB_TOKEN, cloud provider credentials, API keys, registry tokens) that were accessible in environments running vulnerable versions. 3. Audit all repository .gemini/ directories for unexpected or modified .env files, especially in repositories with external contributor access. 4. Immediately disable or quarantine run-gemini-cli workflows triggered by external pull requests until patching is confirmed. 5. Review CI runner logs from the past 90 days for anomalous process spawning, outbound network connections, or unexpected secret access during Gemini CLI steps. 6. Apply least-privilege to CI runners: avoid storing production credentials in runner environments that process AI tool workflows. 7. Implement repository-level policy blocking .gemini/.env files from external contributors via CODEOWNERS or branch protection rules.

What systems are affected by CVE-2026-12537?

This vulnerability affects the following AI/ML architecture patterns: CI/CD pipelines with AI coding assistants, GitHub Actions workflows, AI-assisted code review pipelines, Agent frameworks, Agentic development environments.

What is the CVSS score for CVE-2026-12537?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

CI/CD pipelines with AI coding assistantsGitHub Actions workflowsAI-assisted code review pipelinesAgent frameworksAgentic development environments

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool

AML.T0011.000 Unsafe AI Artifacts

AML.T0050 Command and Scripting Interpreter

AML.T0081 Modify AI Agent Configuration

AML.T0105 Escape to Host

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.1.5

NIST AI RMF: GOVERN 6.1

OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

Improper Neutralization used in an OS Command in the container launcher in Google Gemini CLI (versions prior to 0.39.1) and run-gemini-cli GitHub Action (versions prior to 0.1.22) on headless CI platforms allows an unprivileged attacker to achieve pre-sandbox host-level code execution a maliciously crafted .gemini/.env file.

Exploitation Scenario

An attacker identifies a public repository using the run-gemini-cli GitHub Action in its CI pipeline (discoverable via GitHub code search for 'uses: google-github-actions/run-gemini-cli'). The attacker forks the repository and submits a pull request that includes a crafted .gemini/.env file containing an OS command injection payload targeting the container launcher — for example, embedding shell metacharacters that execute a curl command to an attacker-controlled server. The repository's CI pipeline automatically triggers on the PR via GitHub Actions, invoking the vulnerable Gemini CLI. Before sandbox initialization, the container launcher parses the malicious .env file and executes the injected OS commands at host level. The payload exfiltrates the GITHUB_TOKEN, GEMINI_API_KEY, and any cloud provider credentials present in the runner environment to the attacker's server. With the GITHUB_TOKEN, the attacker can push malicious commits to the main branch, escalating from a read-only PR submission to full repository compromise.

Weaknesses (CWE)

CWE-20 Improper Input Validation

CWE-20 — Improper Input Validation: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

[Architecture and Design] Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and build "recognizers" for that language. This effectively requires parsing to be a distinct layer that effectively enforces a boundary between raw input and internal data representations, instead of allowing parser code to be scattered throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109] [REF-1110] [REF-1111]
[Architecture and Design] Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173).

Source: MITRE CWE corpus.