Google has remediated a critical remote code execution (RCE) vulnerability in its Gemini CLI tools, while independent researchers have disclosed additional high‑severity flaws in the Cursor AI IDE. Together, these incidents highlight how AI‑powered development tools and CI/CD integrations are rapidly becoming a prime target in the software supply chain.
Critical Gemini CLI vulnerability in CI/CD pipelines
The issue, identified by Novee Security, affected both the npm package @google/gemini-cli and the GitHub Actions workflow google-github-actions/run-gemini-cli. In headless mode—the typical configuration for CI/CD systems—Gemini CLI automatically trusted the current working directory and loaded configuration and environment variables from the local .gemini/ folder without validation.
This design allowed an attacker to craft a repository containing a malicious Gemini agent configuration and introduce it into the build process, for example via a pull request to a public project. When the CI workflow using Gemini CLI executed against that repository, the tool automatically consumed the malicious configuration, leading to remote code execution (RCE) on the CI host before any sandboxing was initialized. The vulnerability has been rated with a maximum CVSS base score of 10.0, though no dedicated CVE identifier has yet been assigned.
The risk is particularly acute in environments where CI pipelines process untrusted or community contributions—forks, external pull requests, or automated checks on user‑supplied code. In these scenarios, compromise of the build server can escalate into a full‑scale supply chain attack, enabling an adversary to inject backdoors into build artifacts in a manner reminiscent of historic incidents such as SolarWinds and Codecov breaches.
Google hardens Gemini CLI trust model and –yolo behavior
Google notes that the primary exposure affected headless Gemini CLI usage in automated pipelines. The patch fundamentally changes the trust model: directories must now be explicitly marked as trusted before Gemini CLI will load their configuration. Development and DevOps teams using GitHub Actions or other CI systems need to review their workflows to ensure they operate only on trusted paths or explicitly configure the new trust mechanism.
Google has also reinforced protections around the –yolo flag, which enables automatic approval of all agent actions. Previously, –yolo could effectively bypass the allowlist defined in ~/.gemini/settings.json, permitting all tools—including high‑risk capabilities such as run_shell_command—to run without user confirmation. In combination with prompt injection or processing of untrusted data (for example, GitHub issues or arbitrary user requests), this behavior created an additional RCE vector.
Starting with Gemini CLI version 0.39.1, the policy engine enforces the allowlist even when –yolo is enabled. This allows organizations to retain automated approvals in CI/CD while strictly constraining which commands the AI agent can execute. However, some existing pipelines may begin to fail silently if their allowlists do not reflect all tools actually used, requiring configuration updates to restore expected behavior.
Cursor IDE vulnerabilities underscore AI coding tool risks
Sandbox escape via Git hooks (CVE-2026-26268)
In parallel, Novee Security reported a high‑severity vulnerability in the Cursor AI IDE affecting versions prior to 2.5, tracked as CVE‑2026‑26268 (CVSS 8.1). Cursor describes the problem as a “sandbox escape via .git configuration”. The flaw leverages the interaction between Git’s hook mechanism and automated actions performed by the AI agent.
An attacker can prepare a nested bare Git repository (bare .git) containing a malicious Git hook, such as pre-commit. Whenever a commit operation occurs in that repository, the hook executes automatically. If the AI agent within Cursor, acting “on behalf of” the developer, runs routine Git commands like git checkout or commits within the attacker‑controlled repository, the malicious hook is triggered transparently, outside the agent’s and user’s awareness, but with the user’s privileges.
The root cause is not a single coding bug in Cursor, but an unsafe overlap between Git’s extensibility and autonomous AI operations. Once an AI agent is allowed to perform Git actions in repositories it does not fully control, ordinary commands can activate hidden execution chains. This pattern illustrates a broader AI development tools security challenge: traditional developer tooling features (hooks, macros, plugins) become more dangerous when combined with non‑supervised AI agents.
CursorJacking: extension access to API keys and tokens
A separate high‑risk issue in Cursor, dubbed CursorJacking by LayerX researchers and rated CVSS 8.2, further demonstrates the need for strict isolation in AI IDEs. According to LayerX, Cursor stores API keys, session tokens and other credentials in a local SQLite database. Any installed extension with local filesystem access can read this database, due to insufficient separation between extensions and sensitive data storage.
By accessing this database, a malicious or compromised extension can potentially take over user accounts via session tokens, invoke Cursor backend services on the user’s behalf, abuse paid AI APIs causing financial loss, or exfiltrate project data and AI interaction histories. At the time of writing, this vulnerability reportedly remains unpatched. The vendor emphasizes that exploitation requires local access and user‑granted permissions, yet in practice this means any untrusted extension can become a powerful data exfiltration vector, not only for Cursor but for other local applications relying on similar storage patterns.
Taken together, the Gemini CLI and Cursor IDE vulnerabilities demonstrate how AI‑driven development and CI/CD tools are evolving into high‑value attack surfaces. Organizations should treat AI agents as code with network and filesystem access, not as harmless assistants: restrict tool allowlists, enforce explicit trust for repositories and directories, disable or tightly control Git hooks in automated contexts, minimize secrets stored on developer endpoints, and adopt a strict policy of installing only vetted extensions and integrations. Proactive hardening of AI development environments today can significantly reduce the likelihood of tomorrow’s supply chain compromise.
