Overview
- Google released fixes for @google/gemini-cli (>=0.39.1 and >=0.40.0‑preview.3) and the run-gemini-cli GitHub Action (>=0.1.22) after researchers found a remote code execution flaw with a CVSS score of 10.0.
- The bug came from headless mode automatically trusting the workspace, which let the tool load .gemini configuration and environment variables and run commands before any sandbox started.
- The result was code execution on the host runner, which researchers said could expose tokens, credentials, and source code and could enable supply‑chain attacks inside CI pipelines.
- Google now requires explicit folder trust and advises setting GEMINI_TRUST_WORKSPACE: 'true' for trusted inputs, and it changed --yolo mode so tool calls must be on an allowlist, which may break some existing workflows.
- The Register and The Hacker News note broader risks shown in Cursor’s February sandbox escape (CVE-2026-26268) and LayerX’s reported CursorJacking issue, underscoring systemic weaknesses in AI developer tools that act inside repositories.