2026-05-05-gemini-cli-cvss-10-rce-fix

Summary

Google patched a CVSS 10.0 vulnerability in Gemini CLI affecting both the npm package and GitHub Actions workflow. An unprivileged attacker could force malicious content to load as Gemini configuration, triggering command execution on the host system before the agent’s sandbox initialized. In headless mode on untrusted folders, the flaw enabled RCE via malicious .gemini/ directory. Fixed in v0.39.1 and v0.40.0-preview.3. The fix changes —yolo mode behavior to now evaluate tool allowlists — breaking change for CI/CD pipelines relying on the old permissive mode.

Implications

• Third major CLI agent security incident: Claude Code CVE chain (unpatched credential exfil), Cursor RCE, now Gemini CLI CVSS 10 RCE
• The pattern: agent configuration directories (.claude/, .gemini/, .cursor/) are attack surfaces that execute before sandboxes initialize
• CI/CD pipelines using —yolo mode need immediate remediation — the fix intentionally breaks the permissive workflow
• Feeds: Claude Code security thread (parallel vulnerability pattern), agent security surface, supply chain attack thread