Google has patched a critical, maximum-severity vulnerability in its Gemini CLI tool — the @google/gemini-cli npm package and the google-github-actions/run-gemini-cli GitHub Actions workflow — carrying a perfect CVSS score of 10.0. Discovered by Novee Security, the flaw allowed unprivileged external attackers to force malicious content to load as Gemini configuration, triggering arbitrary command execution directly on the host system before the agent’s sandbox even initialized. The vulnerability stemmed from Gemini CLI’s behavior of automatically trusting workspace folders in headless mode, meaning it could load any agent configuration it found without review, sandboxing, or explicit user consent — effectively turning CI/CD pipelines into viable supply-chain attack paths.
Google’s fix, released in version 0.39.1, now requires folders to be explicitly trusted before configuration files can be accessed. Users running workflows on trusted inputs are advised to set GEMINI_TRUST_WORKSPACE: 'true', while those processing untrusted inputs are urged to follow Google’s hardening guidance. Additionally, Google addressed a separate issue in --yolo mode, where the auto-approve feature previously ignored tool allowlists and executed all tool calls, including shell commands — without user confirmation, a behaviour that could be exploited via prompt injection from untrusted inputs such as user-submitted GitHub issues.
The disclosure arrives alongside the revelation of two high-severity vulnerabilities in the AI-powered development tool Cursor. CVE-2026-26268, carrying a CVSS score of 8.1, enables arbitrary code execution through a prompt injection and sandbox escape via malicious Git hooks embedded in a cloned repository, triggered simply by asking the Cursor agent to explain a codebase. A second flaw, dubbed CursorJacking by security firm LayerX with a CVSS score of 8.2, allows any installed extension to access sensitive API keys and credentials stored in a local SQLite database, potentially enabling account takeover and unauthorized API usage. Notably, CursorJacking remains unpatched, raising urgent concerns about the expanding attack surface introduced by AI-powered development tools.