RCE Vulnerability in Gemini CLI and Cursor AI: Details and Patches

Details on the critical severity vulnerability in Gemini CLI, the flaw in Cursor AI, and the hijacking of the Gemini panel in Chrome. Dates, versions, and patc…

RCE Vulnerability in Gemini CLI and Cursor AI: Details and Patches

On April 29, 2026, Novee Security published a report on a critical severity vulnerability in Gemini CLI that allowed the execution of arbitrary commands on host systems. The flaw highlights new supply-chain attack vectors and sandbox escapes for CI/CD pipelines.

The Critical Flaw in Gemini CLI: Code Execution Before Sandbox

The vulnerability discovered by Novee Security affects the npm package @google/gemini-cli in versions prior to 0.40.0-preview.3 and the GitHub Actions workflow google-github-actions/run-gemini-cli in versions prior to 0.1.22. The critical severity flaw demonstrates the extreme criticality for development environments.

The issue lies in the ability of an unprivileged external attacker to manipulate the AI agent's configuration. As highlighted by the researchers, "The vulnerability allowed an unprivileged external attacker to force their own malicious content to load as Gemini configuration". This action triggers code execution directly on the host. Novee Security researchers explained that "This triggered command execution directly on the host system, bypassing security before the agent’s sandbox even initialized", demonstrating a radical sandbox escape that renders the system's intended containment defenses useless.

Around April 23, 2026, Google published an advisory to limit the impact of the Gemini CLI vulnerability, restricting the risk only to workflows operating in headless mode.

Gemini CLI and the Threat of Prompt Injection

The remote code execution (RCE) vulnerability exploits prompt injection techniques. In CI/CD environments where input is controllable, a crafted prompt manages to bypass AI security filters and trigger the execution of system commands on the host.

Cursor AI Editor and Arbitrary Code Execution

Novee Security highlighted a high severity vulnerability within the Cursor AI editor in versions prior to 2.5. This flaw paves the way for arbitrary code execution via prompt injection, extending the risk of compromise to IDE-based development environments with AI integration.

Hijacking the Gemini Panel in Chrome and Browser-Based Vectors

AI integration exposes new attack vectors even at the browser level. On March 3, 2026, Unit 42 disclosed the technical details of a vulnerability in Chrome that allowed a malicious extension to hijack the Gemini panel. The vulnerability was originally reported in October 2025. On January 6, 2026, prior to Unit 42's disclosure, Google had already released Chrome version 143.0.7499.192 to fix the flaw. Regarding this type of threat, the Unit 42 team emphasized that "The evolution of browsers integrating AI presets additional risks that add more weight to how dangerous extension-based attacks can be". Extensions see their damaging impact amplified when they manage to interact with integrated AI panels.

Frequently Asked Questions

What is the recently discovered vulnerability in Gemini CLI?
On April 29, 2026, Novee Security published a critical severity vulnerability in Gemini CLI that allowed an attacker to force the loading of malicious content as configuration, triggering code execution on the host before the sandbox initialized.
Which versions of the Gemini CLI npm package are affected by the RCE flaw?
The vulnerabilities affect the @google/gemini-cli package in versions prior to 0.40.0-preview.3 and the google-github-actions/run-gemini-cli GitHub Actions workflow in versions prior to 0.1.22.
How does the vulnerability in the Cursor AI editor work?
The Cursor AI editor, in versions prior to 2.5, was affected by a high severity vulnerability that allowed arbitrary code execution via prompt injection techniques.

This article is a summary based exclusively on the listed sources.

Sources