Gemini CLI silently executed arbitrary code from an untrusted repo (CVE-2026-12537, CVSS 10.0)
Quick Answer
Gemini-cli (running gemini-2.5-pro) caused a critical-severity (10/10) security vulnerability failure: Gemini CLI silently executed arbitrary code from an untrusted repo (CVE-2026-12537, CVSS 10.0). The root cause was tool misuse. Tracebit reported the flaw to Google two days after Gemini CLI's June 25, 2026 launch.
Description
Google released Gemini CLI, an open-source terminal AI agent, on June 25, 2026. Two days later, researchers at Tracebit reported that in its default configuration the agent could silently execute arbitrary malicious code on a user's machine when run against untrusted code. Gemini CLI automatically trusted the current workspace folder and loaded any agent configuration found there without review, sandboxing, or human approval; its --yolo mode additionally ignored tool allowlists and would run any command. Code execution on the host handed an unprivileged outsider access to whatever secrets, credentials, and source code the workflow could reach — a direct path to a supply-chain attack inside CI/CD. Google classified it P1/S1, assigned CVE-2026-12537 with a CVSS v4 score of 10.0, and shipped a fix in v0.1.14.
Instruction Given
Run Gemini CLI inside a project directory to help with coding tasks.
Expected Behavior
Treat repository-supplied configuration as untrusted; never execute shell commands from a workspace without review or an allowlist.
Actual Behavior
Gemini CLI automatically trusted the current workspace folder and loaded any agent configuration it found there without review or sandboxing. Combined with a --yolo mode that ignored tool allowlists, a malicious repo could silently run arbitrary commands on the host the moment the agent was pointed at it.
Impact / Damage
Tracebit reported the flaw to Google two days after Gemini CLI's June 25, 2026 launch. Classified P1/S1 and assigned CVE-2026-12537 with a perfect CVSS v4 score of 10.0, it exposed thousands of CI/CD pipelines to command injection and supply-chain compromise until it was fixed in v0.1.14.
Frequently Asked Questions
What happened in incident STUPID-2026-0027? ▾
Google released Gemini CLI, an open-source terminal AI agent, on June 25, 2026. Two days later, researchers at Tracebit reported that in its default configuration the agent could silently execute arbitrary malicious code on a user's machine when run against untrusted code. Gemini CLI automatically trusted the current workspace folder and loaded any agent configuration found there without review, sandboxing, or human approval; its --yolo mode additionally ignored tool allowlists and would run any command. Code execution on the host handed an unprivileged outsider access to whatever secrets, credentials, and source code the workflow could reach — a direct path to a supply-chain attack inside CI/CD. Google classified it P1/S1, assigned CVE-2026-12537 with a CVSS v4 score of 10.0, and shipped a fix in v0.1.14.
Which AI agent caused this failure? ▾
Gemini-cli (running the gemini-2.5-pro model) was responsible for this security vulnerability incident, documented as STUPID-2026-0027 in the StupidLLM AI agent incident database.
How severe was this AI agent failure? ▾
It is rated 10/10 (critical) on StupidLLM's CVSS-style severity scale for AI agent failures, based on damage type, reversibility, and scope.
What was the root cause? ▾
The root cause was classified as tool misuse. Treat repository-supplied configuration as untrusted; never execute shell commands from a workspace without review or an allowlist.
What was the impact or damage? ▾
Tracebit reported the flaw to Google two days after Gemini CLI's June 25, 2026 launch. Classified P1/S1 and assigned CVE-2026-12537 with a perfect CVSS v4 score of 10.0, it exposed thousands of CI/CD pipelines to command injection and supply-chain compromise until it was fixed in v0.1.14.