Google ke Gemini CLI mein ek badi security kamzori ka pata chala hai, jisse attackers kuch CI/CD environments, GitHub Actions workflows mein koi bhi code chala sakte han.
Yeh samasya, jise CVE-2026-12537 ke issue par track kiya gaya hai, Gemini CLI aur usse jude GitHub Action ke kai version par asar dalti hai.
Gemini CLI Vulnerability
Asli vajah yeh hai ki Gemini CLI pehle automated CI pipeline jaise “headless” environment ko kaise handle karta tha. purane version men, CLI non-interactive mode. mein chalne par automatically workspace folders par bharosa karta tha.
Iska matlab tha ki configuration filen, jisme .gemini/.env jaisi local directory mein store environment variable shamil the, bina verification ke load ho jaati thin. ek atackar repository mein kharab environment variable daalkar is behaviour ka fayda utha sakta hai.
jab koi CI workflow pul request jaise untrasted input ko process karta tha, to Gemini CLI in variable ko load karta tha aur shayad arbitrary commands ko execute karta tha.
