Pillar Security Finds Critical TrustIssues Vulnerability in gemini-cli

Pillar Security researchers disclosed a CVSS 10 critical vulnerability — dubbed TrustIssues and tracked as advisory GHSA-wpqr-6v78-jr5g — in Google's AI coding agent Gemini CLI and its companion run-gemini-cli GitHub Actions integration. The flaw chained a prompt-injection vector against the agent's automated GitHub-issue triage workflow with a tool-allowlist bypass in the agent's --yolo (auto-approve) mode, allowing any external attacker who could open a public issue on a repository using the workflow to escalate from a single GitHub comment to pushing arbitrary code to the repository's main branch.

Pillar reported the vulnerability against google/draco on April 16, 2026, demonstrated full supply-chain compromise of the public gemini-cli repository on April 20, and Google published the advisory and patches on April 24. The fix landed in Gemini CLI 0.39.1 (and 0.40.0-preview.3) and google-github-actions/run-gemini-cli 0.1.22. The same vulnerable workflow pattern was identified across at least eight other Google-maintained repositories before remediation.

The attack mechanism is a textbook example of the "lethal trifecta" risk Pillar's blog highlights: an AI agent with:

• •access to private credentials
• •exposure to attacker-controlled untrusted input
• •the ability to communicate externally. When gemini-cli ran in headless CI mode, it automatically trusted workspace configuration files, ignored its tool allowlist under --yolo, and read the workflow's persisted Git credentials — which carried actions:write permission. In Pillar's proof-of-concept, a single crafted GitHub issue body led the agent to read .git/config, exfiltrate the token, dispatch a second workflow checking out a malicious fork, and push code directly to main

The vulnerability sits at the intersection of three patterns that have moved from theoretical to actively exploited over the last 12 months: prompt injection through user-controlled markdown, over-permissive default credentials in GitHub Actions checkouts, and "auto-yes" agent modes that bypass guardrails for developer convenience. None of those individually is novel. The contribution here is showing that they compose into a public-attack supply-chain compromise of a flagship Google project with 101,000+ stars, exploitable by anyone who can register a GitHub account and open an issue.

Google's patch addresses the proximate problem in two ways: tool allowlists are now evaluated even under --yolo, and command sanitization blocks shell substitution and redirection injection techniques previously accepted by the agent's command parser. Workspace trust in CI mode is no longer automatic — it must be explicitly opted into via the GEMINI_TRUST_WORKSPACE environment variable.

For practitioners running similar AI-in-CI integrations (whether gemini-cli, GitHub Copilot Workspace agents, or open-source equivalents), the architectural takeaway from Pillar's writeup is that prompt-hardening alone does not stop this class of attack. The researchers explicitly recommend treating prompt injection "as a privilege problem" and modelling threats around what an exfiltrated credential can do, not whether the prompt can be subverted in the first place. Concretely, that means setting persist-credentials: false on actions/checkout, never passing GITHUB_TOKEN to agents that process untrusted issue or PR content, and keeping the agent's tool allowlist tightly constrained.

This is one of the first publicly disclosed supply-chain compromises against a major-vendor agentic AI tool exploitable through a normal-user surface (GitHub issues). Independent reporting from The Hacker News, SecurityWeek, The Register, and Hackread confirms the technical chain and timeline. The same outlets note that disclosure has accelerated parallel scrutiny of similar AI coding agents — the same week, Cursor patched two of its own flaws (CVE-2026-26268, an analogous Git-hook execution issue rated CVSS 8.1, and a separate "CursorJacking" access-control bug at CVSS 8.2).

For organizations adopting AI-driven DevOps tooling, the disclosure is a forcing function on three governance questions: which third-party AI agents have write access to source code, who gates their tool allowlists, and how often those allowlists are reviewed. The "lethal trifecta" framework — private data, untrusted input, external communication — is becoming the default audit lens used by security teams evaluating any AI-in-the-loop CI/CD integration.

If you ship code through any AI-augmented CI/CD pipeline — whether you maintain repositories using gemini-cli, evaluate competing AI coding agents, or operate the security review function for your engineering org — three actions follow directly from this disclosure:

• •Audit your GitHub workflows for AI-agent triggers activated by external users. Workflow YAML lines like on: issues: or on: issue_comment: combined with run-gemini-cli (or any other auto-acting AI step) should be reviewed against tool-allowlist tightness and credential persistence.
• •Disable persist-credentials on actions/checkout unless you have an explicit reason to keep tokens on disk during AI tool execution.
• •Patch immediately — upgrade @google/gemini-cli to 0.39.1+ (or 0.40.0-preview.3) and run-gemini-cli to 0.1.22+. The advisory is at GHSA-wpqr-6v78-jr5g.

Three forward indicators worth tracking over the next 30 to 60 days:

• •Cross-vendor disclosures — whether other AI coding agent providers (GitHub Copilot, Cursor, Cody, Replit Agent) are forced to disclose similar tool-allowlist or workspace-trust bypasses. Independent researchers are now actively probing the same attack surface.
• •Industry-pattern enforcement — whether GitHub itself imposes default policies (automatic persist-credentials: false, forced tool allowlists, rate-limited issue triage triggers) on workflows declaring AI integrations.
• •Detection and incident-response tooling — whether SAST / DAST and CI/CD security vendors begin shipping signatures specific to "agent prompt-injection-to-supply-chain" patterns. Today there are essentially no off-the-shelf detections for this class of attack.

Reporting in this article is drawn from Pillar Security's primary disclosure ("My Agentic Trust Issues: From Prompt Injection to Supply-Chain Compromise on gemini-cli", May 2026), Google's official security advisory GHSA-wpqr-6v78-jr5g, and secondary coverage from The Hacker News, SecurityWeek, The Register, and Hackread. Where direct quotes appear they are attributed to the original outlet. Adoption metrics (101,000+ stars on the gemini-cli repository) are sourced from Pillar Security's blog post and verifiable on GitHub.