“The vulnerability allowed an unprivileged external attacker to force their own malicious content to load as Gemini configuration,” Novee researcher, Elad Meged, said in a blog post. “This triggered command execution directly on the host system, bypassing security before the agent’s sandbox even initialized.”
The impact of the flaw was limited to workflows using Gemini CLI in headless mode, without an interactive interface.
While a CVE ID has not been assigned to the flaw yet, Meged said Google assessed a severity rating of 10.0, the maximum on the CVSS scale. The maximum severity rating likely comes from the exploit requiring low complexity, minimal privileges, and little to no user interaction.
