Google Fixes CVSS 10 Gemini CLI CI RCE and Cursor Flaws Enable Code Execution

Summary

Google has patched a critical remote code execution (RCA) vulnerability in the Gemini CLI and its associated GitHub Actions workflow, which previously allowed attackers to execute commands on host systems. Simultaneously, security researchers identified high-severity flaws in the Cursor IDE, including a sandbox escape via Git hooks and an unpatched access control vulnerability that exposes sensitive credentials to extensions.

Key Points

• Gemini CLI vulnerability (CVSS 10.0) affects @google/gemini-cli versions < 0.39.1 and < 0.40.0-preview.3, and google-github-actions/run-gemini-cli < 0.1.22.
• The Gemini CLI fix requires explicit workspace trust; developers must set GEMINI_TRUST_WORKSPACE: 'true' in workflows processing trusted inputs.
• Cursor IDE vulnerability (CVE-2026-26268, CVSS 8.1) enables RCE through malicious Git post-checkout hooks triggered by AI agent operations.
• An unpatched access control vulnerability in Cursor (CVSS 8.2), known as "CursorJacking," allows installed extensions to access API keys and session tokens in a local SQLite database.
• Google updated the Gemini CLI --yolo mode to ensure the policy engine evaluates tool allowlisting even when auto-approving commands.

Technical Details

The Gemini CLI vulnerability originated from the tool's default behavior in headless mode (CI/CD environments), where it automatically trusted workspace folders to load configuration and environment variables. Attackers could exploit this by placing malicious configurations in the .gemini/ directory, triggering command execution on the host system before the agent's sandbox could initialize. The update mandates that folders must be explicitly trusted before configuration files are accessed. Furthermore, Google hardened the --yolo mode to prevent prompt injection from bypassing the tool allowlist defined in ~/.gemini/settings.json.

The Cursor IDE RCE (CVE-2026-26268) exploits the interaction between AI agent autonomy and Git's configuration. An attacker can use an AGENTS.md file to instruct the Cursor agent to perform a git checkout within a malicious bare repository. This action triggers a hidden post-checkout hook, leading to arbitrary code execution. Separately, the "CursorJacking" vulnerability (CVSS 8.2) lacks access control boundaries between extensions and the application's local SQLite database. This allows any installed extension with local file system access to extract sensitive API keys and credentials.

Impact / Why It Matters

Developers using Gemini CLI in CI/CD pipelines must audit workflows to prevent supply-chain attacks via untrusted pull requests. For Cursor users, these vulnerabilities necessitate extreme caution when cloning external repositories and installing third-party extensions to prevent code execution and credential theft.