HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-12537Published Modified CNA GoogleCloud

CVE-2026-12537: Unauthenticated Remote Code Execution in Gemini CLI CI/CD Workflows

Improper Neutralization used in an OS Command in the container launcher in Google Gemini CLI (versions prior to 0.39.1) and run-gemini-cli GitHub Action (versions prior to 0.1.22) on headless CI platforms allows an unprivileged attacker to achieve pre-sandbox host-level code execution a maliciously crafted .gemini/.env file.

Metrics

CVSS v4.0
10.0
Severity
CRITICAL
Fixed in
0.1.22
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An OS command injection vulnerability affects Google Gemini CLI (versions prior to 0.39.1) and the run-gemini-cli GitHub Action (versions prior to 0.1.22). The flaw sits in the container launcher and can be triggered remotely without any authentication by supplying a maliciously crafted .gemini/.env file, which the launcher processes before the sandbox is established. Successful exploitation gives an attacker full host-level code execution on the CI/CD runner before any sandboxing takes effect. Patched-image rebuilds at versions 0.39.1 and 0.1.22 are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images that bundle Gemini CLI or the run-gemini-cli Action. Both affected packages are fingerprinted regardless of how they were introduced into an image layer.

Available
Triage

HarborGuard scores this finding at CVSS 10.0 Critical (v4.0) and surfaces it accordingly in each customer organization's compliance policy weighting, which can escalate severity or adjust SLA timers based on environment-specific rules. Findings are routed automatically to the team inbox or ticketing integration configured for the affected registry or pipeline.

Available
Patch

A patched-image rebuild pinned to Gemini CLI 0.39.1 and run-gemini-cli 0.1.22 becomes available in HarborGuard as soon as the fix versions are resolvable from upstream. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, runs a regression test suite against the new image, and opens a pull request against every affected workload in the customer's configured repositories.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker reaches the vulnerable container launcher over the network; any CI runner exposed to untrusted repository input or remote trigger is within scope.

  • AuthenticationNot required

    No credentials or account of any privilege level are needed to deliver the malicious .gemini/.env payload.

  • Victim interactionNot required

    No user needs to click a link or approve an action; the launcher processes the crafted file automatically during the CI startup sequence.

  • Attack complexityDetail

    Exploitation is reliable and condition-free: no race conditions, memory-layout dependencies, or environmental prerequisites are required beyond the ability to supply a crafted .gemini/.env file.

Blast Radius

  • Attacker executes arbitrary OS commands on the CI/CD host at the process level before the Gemini sandbox initializes, giving full control of the runner environment.
  • Secrets, tokens, and environment variables present on the runner (repository deploy keys, cloud provider credentials, registry passwords) are readable and exfiltrable.
  • The attacker can modify build artifacts, inject malicious code into the pipeline output, or tamper with any files the runner process can write.
  • Compromise of the runner can pivot into downstream systems reachable from the CI network, including production registries and deployment targets.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of the CVE publication timestamp for any image or pipeline component referencing an affected version of Gemini CLI or the run-gemini-cli Action, including images where the package was installed in an intermediate layer. For customers who opt into auto-remediation, HarborGuard initiates a rebuild against the patched versions (0.39.1 and 0.1.22 respectively), executes a regression test run, and opens a pull request against affected workloads. For high and critical severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval before remediation, the finding is routed to the configured approver inbox with full CVSS context and affected-layer provenance attached. Given the pre-sandbox execution path and the CVSS 10.0 rating, prioritizing this update ahead of the next scheduled maintenance window is strongly advisable.

See how HarborGuard automates this

Fix available

0.1.220.39.1
Affected packages
  • Google Cloud / Gemini CLI
    < 0.39.1 (from 0)
  • Google Cloud / run-gemini-cli GitHub Action
    < 0.1.22 (from 0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/U:Clear
References