Pillar Security Finds Critical TrustIssues Vulnerability in gemini-cli
.png)
Pillar Security disclosed TrustIssues, a CVSS 10 supply-chain vulnerability in Google's gemini-cli AI coding agent, exploitable via a single crafted GitHub issue and chained from prompt injection through a --yolo tool-allowlist bypass to pushing arbitrary code onto a repository's main branch. Google patched it in @google/gemini-cli 0.39.1 and run-gemini-cli 0.1.22 (advisory GHSA-wpqr-6v78-jr5g) after Pillar found the same vulnerable workflow pattern in at least 8 other Google-maintained repositories. The disclosure landed the same week Cursor patched two unrelated flaws in its own AI coding tool, underscoring that prompt-injection-to-credential-theft is now an active attack class against AI coding agents, not a theoretical one.
This disclosure is a concrete case study in why prompt-injection defenses aimed at the model itself are not enough: Pillar's researchers treated the vulnerability as a privilege problem, not a prompting problem, and that framing is what let them chain a single GitHub comment into a full repository compromise. For any team running an AI coding agent inside CI/CD, the credential-handling failures here, not the prompt injection itself, are the reusable lesson.
What happened
Pillar Security researchers disclosed a CVSS 10 critical vulnerability, dubbed TrustIssues and tracked as advisory GHSA-wpqr-6v78-jr5g, in Google's AI coding agent Gemini CLI and its companion run-gemini-cli GitHub Actions integration. The flaw chained a prompt-injection vector against the agent's automated GitHub-issue triage workflow with a tool-allowlist bypass in the agent's --yolo (auto-approve) mode, letting any external attacker who could open a public issue on a repository using the workflow escalate from a single comment to pushing arbitrary code to the repository's main branch. Pillar reported the vulnerability against google/draco on April 16, 2026, demonstrated full supply-chain compromise of the public gemini-cli repository on April 20, and Google published the advisory and patches on April 24. The fix landed in Gemini CLI 0.39.1 (and 0.40.0-preview.3) and run-gemini-cli 0.1.22. The same vulnerable workflow pattern was identified across at least eight other Google-maintained repositories before remediation.
Technical context
The attack mechanism matches what Pillar calls the "lethal trifecta": an AI agent with access to private credentials, exposure to attacker-controlled untrusted input, and the ability to communicate externally. Running in headless CI mode, gemini-cli automatically trusted workspace configuration files, ignored its tool allowlist under --yolo, and read the workflow's persisted Git credentials, which carried actions:write permission. In Pillar's proof of concept, a single crafted GitHub issue body led the agent to read .git/config, exfiltrate the token, dispatch a second workflow checking out a malicious fork, and push code directly to main. None of the three underlying patterns, prompt injection via markdown, over-permissive checkout credentials, or auto-yes agent modes, is new on its own; the disclosure's significance is that they composed into a public-attack supply-chain compromise of a project with 101,000-plus GitHub stars. Google's patch evaluates tool allowlists even under --yolo and requires workspace trust in CI mode to be explicitly opted into via the GEMINI_TRUST_WORKSPACE environment variable.
For practitioners
Pillar's own recommendation is to treat prompt injection as a privilege problem rather than a prompting problem: model what an exfiltrated credential can do, not just whether the prompt can be subverted. Concretely, for any AI-in-CI integration:
- •Set persist-credentials: false on actions/checkout.
- •Never pass GITHUB_TOKEN to agents that process untrusted issue or PR content.
- •Keep the agent's tool allowlist tightly constrained, and confirm it is enforced under any auto-approve or yolo mode.
- •Audit workflow triggers such as on: issues: or on: issue_comment: that activate AI agents, and patch immediately: upgrade to gemini-cli 0.39.1+ or run-gemini-cli 0.1.22+.
Industry context
Independent reporting from The Hacker News, SecurityWeek, The Register, and Hackread confirms the technical chain and timeline. The same week, Cursor patched two unrelated flaws in its own AI coding tool: a Git-hook execution issue (CVE-2026-26268, CVSS 8.1) and a separate access-control bug dubbed "CursorJacking" (CVSS 8.2). Together, the disclosures are accelerating scrutiny of AI coding agents industry-wide and pushing the "lethal trifecta" framework, private data, untrusted input, external communication, toward becoming a standard audit lens for AI-in-the-loop CI/CD integrations.
What to watch
- •Whether other AI coding agent providers (GitHub Copilot, Cursor, Cody, Replit Agent) disclose similar tool-allowlist or workspace-trust bypasses as researchers probe the same attack surface.
- •Whether GitHub imposes default policies, such as forced persist-credentials: false or rate-limited issue-triage triggers, on workflows that declare AI integrations.
- •Whether CI/CD security vendors ship detection signatures for agent prompt-injection-to-supply-chain attacks; today there are essentially no off-the-shelf detections for this class.
Key Points
- 1Pillar Security disclosed TrustIssues, a CVSS 10 flaw letting a single GitHub issue compromise Google's gemini-cli via prompt injection and credential theft.
- 2The exploit chain relied on gemini-cli trusting workspace files and ignoring tool allowlists in --yolo mode, exposing Git tokens with write access to main.
- 3Google patched the flaw across 8-plus repositories, and the same week Cursor fixed unrelated bugs, signaling AI coding agents are now an active attack class.
Scoring Rationale
A CVSS 10 supply-chain compromise of a major-vendor AI coding agent (100k+ star repo, 8+ affected Google repositories) with a fully verified technical chain (primary researcher writeup, official GitHub advisory, and four independent outlets) is a major, well-evidenced security story. The concurrent disclosure of unrelated Cursor flaws the same week strengthens the case that prompt-injection-to-credential-theft is now an active attack class against AI coding agents industry-wide, supporting a score at the top of the major tier.
Sources
Primary source and supporting public references used for this report.
View 4 more sources
- Google security advisory GHSA-wpqr-6v78-jr5g — Gemini CLI tool-allowlist bypass and unsafe workspace trust in CI modegithub.com
- Gemini CLI Vulnerability Could Have Led to Code Execution, Supply Chain Attacksecurityweek.com
- Google fixes CVSS 10.0 vulnerability in Gemini CLItheregister.com
- Google Fixes CVSS 10 Gemini CLI Vulnerability Enabling GitHub Issue-Based RCEhackread.com
Practice with real Ad Tech data
90 SQL & Python problems · 15 industry datasets
250 free problems · No credit card
See all Ad Tech problems
