Google fixed a maximum-severity remote code execution flaw in Gemini CLI (the @google/gemini-cli npm package and google-github-actions/run-gemini-cli workflow) that allowed unprivileged attackers to load malicious configuration and execute arbitrary commands on host systems. Related disclosures also detail high-severity Cursor vulnerabilities — including CVE-2026-26268 and an unpatched “CursorJacking” access-control issue — that enable sandbox escape via malicious .git hooks and extension access to local credentials. #GeminiCLI #Cursor
Keypoints
- Gemini CLI in headless/CI mode trusted workspace folders by default, allowing malicious .gemini/ configuration to trigger remote command execution on the host.
- The flaw affects @google/gemini-cli
- Google’s fix requires explicit folder trust (e.g., set GEMINI_TRUST_WORKSPACE: ‘true’ for trusted inputs) or following hardening guidance for untrusted inputs, plus stricter tool allowlisting under –yolo mode.
- Cursor prior to version 2.5 (CVE-2026-26268) can be forced to execute arbitrary code via a malicious embedded bare .git repository and post-checkout hook when an agent runs git operations.
- An additional unpatched Cursor access-control issue (“CursorJacking”) lets installed extensions access local SQLite-stored API keys and session tokens, risking credential theft and account takeover; users should limit extensions and apply vendor guidance.
Read More: https://thehackernews.com/2026/04/google-fixes-cvss-10-gemini-cli-ci-rce.html