CVE-2026-12537

UNKNOWN 0.0

Unauthenticated Remote Code Execution in Gemini CLI CI/CD Workflows

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Improper Neutralization used in an OS Command in the container launcher in Google Gemini CLI (versions prior to 0.39.1) and run-gemini-cli GitHub Action (versions prior to 0.1.22) on headless CI platforms allows an unprivileged attacker to achieve pre-sandbox host-level code execution a maliciously crafted .gemini/.env file.

CWE	CWE-20
Vendor	google cloud
Product	gemini cli
Published	Jun 24, 2026
Last Updated	Jun 24, 2026

Stay Ahead of the Next One

Get instant alerts for google cloud gemini cli

Be the first to know when new unknown vulnerabilities affecting google cloud gemini cli are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Google Cloud / Gemini CLI

0 < 0.39.1

Google Cloud / run-gemini-cli GitHub Action

0 < 0.1.22

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/google-github-actions/run-gemini-cli/security/advisories/GHSA-wpqr-6v78-jr5g

Credits

🔍 Elad Meged of Novee Security 🔍 Devansh Batham