DEV Community

Cover image for Google Patches Maximum-Severity RCE Vulnerability in Gemini CLI and GitHub Actions
BeyondMachines for BeyondMachines

Posted on • Originally published at beyondmachines.net

Google Patches Maximum-Severity RCE Vulnerability in Gemini CLI and GitHub Actions

Summary

Google patched a maximum-severity RCE vulnerability (CVE-2026-12537) in Gemini CLI and its GitHub Action that allowed attackers to execute host-level commands via malicious workspace configurations. The flaw exploited implicit trust in headless CI/CD environments to steal secrets and compromise build pipelines.

Take Action:

If you use the Gemini CLI or its GitHub Action in your development pipelines, immediately upgrade to Gemini CLI version 0.39.1 (or 0.40.0-preview.3) and the run-gemini-cli action to version 0.1.22 to patch CVE-2026-12537. Only enable workspace trust for repositories you fully control. Review your automated workflows to make sure they never run shell commands on untrusted inputs.


Read the full article on BeyondMachines


This article was originally published on BeyondMachines

Top comments (0)