// Service

Gemini

// Alerts

Recent threats

// GeminiCRITICAL

A critical command injection vulnerability (CVE-2026-12537, CVSS 10.0) in Google's Gemini CLI and run-gemini-cli GitHub Action allows unprivileged remote attackers to execute arbitrary OS commands before sandbox initialization. Two root causes enable the exploit: automatic workspace trust in headless mode loading malicious .env files, and tool allowlist bypass in --yolo mode. Attackers can exploit prompt injection to exfiltrate CI secrets and push malicious code to repositories. Patches released: @google/gemini-cli v0.39.1/v0.40.0-preview.3 and run-gemini-cli v0.1.22.

Google filed a lawsuit against Outsider Enterprise, a China-based cybercrime network that abused Gemini to generate code for phishing websites and scam infrastructure. The operation created over 9,000 fake websites and 1 million fraudulent URLs, impacting hundreds of thousands of victims with losses in the millions. Members used Gemini to create convincing phishing kits for fake package delivery alerts, banking notifications, and account security warnings distributed via Telegram. Google coordinated with the FBI and major carriers to dismantle the infrastructure.

SafeBreach Labs researchers disclosed a novel indirect prompt injection (IPI) vulnerability in Google Gemini's voice assistant that allows attackers to silently hijack the AI through malicious payloads in WhatsApp, Slack, SMS, Signal, Instagram, and Messenger notifications. The attack exploits Gemini's notification processing to embed malicious instructions and bypass user awareness, enabling unauthorized actions including smart home control, social engineering, and persistent memory poisoning. Researchers developed a bypass technique called Fake Context Alignment to circumvent Google's mitigations. Google confirmed on November 14, 2025, that content classifier updates mitigated the vulnerability.

A critical vulnerability tracked as CVE-2026-48710, dubbed 'BadHost,' was disclosed in Starlette (versions before 1.0.1), a foundational framework used by FastAPI-based AI infrastructure. The flaw allows attackers to bypass authentication by injecting malicious values into the HTTP Host header, causing middleware to misroute requests and grant unauthorized access to protected API endpoints. Affected platforms explicitly include Google ADK-Python (Gemini's agent development framework) when custom middleware is in use, as well as LLM inference servers, MCP gateways, and AI agent orchestration backends. Successful exploitation can expose LLM endpoints, API keys, internal agent tooling, and AI compute resources without authorization. The vulnerability was discovered by X41 D-Sec during an OSTIF-sponsored audit. Mitigation requires upgrading Starlette to version 1.0.1 or later and avoiding reliance on request.url.path for security decisions in middleware.

// GeminiMEDIUM

Trend Micro's TrendAI Research disclosed on May 25, 2026 that a Russian-speaking threat actor tracked as "bandcampro" operated a multi-year influence and fraud campaign powered by a persistently jailbroken instance of Google Gemini CLI. The actor abused Gemini's GEMINI.md memory file to establish a self-reinforcing "authorized pentester" context, escalated permissions across sessions, and used Russian-language prompts to bypass safety guardrails. With guardrails disabled, Gemini reportedly generated password mutation lists used to crack WordPress administrator credentials, produced QAnon- and MAGA-themed content for a Telegram channel with roughly 17,000 subscribers, and assisted with command-and-control infrastructure and pump-and-dump scheme instructions tied to draining at least one cryptocurrency wallet. The operation ran at near-zero cost via stolen API keys. The disclosure highlights weaknesses in persistent-memory handling and multilingual safety controls in Gemini CLI rather than a discrete CVE.

Reporting indicates Google's Gemini API has drawn criticism over security weaknesses that have left some developers facing large unauthorized bills tied to compromised or abused API keys. Coverage frames this as an ongoing controversy rather than a single disclosed CVE, with Google Cloud leadership publicly acknowledging that AI security must be treated as a first-class concern. No specific patch, vendor advisory, or attribution to a named threat actor has been published in the available source. Developers using the Gemini API should review key scoping, rotate exposed credentials, enable billing alerts and quotas, and monitor usage for anomalous consumption. Treat this as an awareness item pending more authoritative technical detail from Google.

// GeminiMEDIUM

Google Threat Intelligence Group (GTIG) published a May 11, 2026 report documenting ongoing abuse of the Gemini service by criminal and state-sponsored threat actors. PRC-linked group APT27 used Gemini to accelerate development of a network management tool for an operational relay box network configured to route traffic through residential IPs. The ESET-identified Android backdoor PROMPTSPY integrates the Gemini API into an autonomous agent module, sending live UI layouts to Gemini and receiving back tap and gesture coordinates to drive on-device actions, capture biometric inputs, and block uninstallation. GTIG also reported that PRC-linked actors are systematically bypassing AI platform billing controls, including a relay service that pools compromised Gemini, Claude, and OpenAI accounts to distribute access and costs. Google states no PROMPTSPY-containing apps are present on Google Play and that Play Protect mitigates the Android threat; the underlying AI-developed zero-day discussed in the same report did not involve Gemini.

A critical vulnerability in Google's Gemini CLI, disclosed by Pillar Security, could have enabled a full supply-chain compromise of the open-source AI agent. The flaw, rated CVSS 10/10 but without a CVE identifier, stemmed from --yolo mode ignoring tool allowlists, allowing arbitrary command execution. An attacker could plant a malicious indirect prompt inside a public GitHub issue; when Gemini CLI auto-triaged the issue, the injected instructions could exfiltrate build-environment secrets and pivot to a token with full write access to the gemini-cli repository, enabling malicious code to ship to downstream users. At least eight other Google repositories shared the same vulnerable workflow. Separate Adversa.AI research (TrustFall) further shows Gemini CLI, alongside Claude Code, Cursor CLI, and Copilot CLI, will execute project-defined MCP servers from a malicious repository upon a single trust-prompt keypress, enabling one-click RCE.