CVE-2026-12537 - Vulnerability Details - OpenCVE

Improper Neutralization used in an OS Command in the container launcher in Google Gemini CLI (versions prior to 0.39.1) and run-gemini-cli GitHub Action (versions prior to 0.1.22) on headless CI platforms allows an unprivileged attacker to achieve pre-sandbox host-level code execution a maliciously crafted .gemini/.env file.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable yes

Technical Impact total

No data.

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products

References

Link	Providers
https://github.com/google-github-actions/run-gemini-cli/security/advisories/GHSA-wpqr-6v78-jr5g

History

Wed, 24 Jun 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 24 Jun 2026 13:45:00 +0000

Type	Values Removed	Values Added
Description		Improper Neutralization used in an OS Command in the container launcher in Google Gemini CLI (versions prior to 0.39.1) and run-gemini-cli GitHub Action (versions prior to 0.1.22) on headless CI platforms allows an unprivileged attacker to achieve pre-sandbox host-level code execution a maliciously crafted .gemini/.env file.
Title		Unauthenticated Remote Code Execution in Gemini CLI CI/CD Workflows
Weaknesses		CWE-20
References		https://github.com/google-github-actions/run-gemini-cli/security/advisories/GHSA-wpqr-6v78-jr5g
Metrics		cvssV4_0 `{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/U:Clear'}`

MITRE

Status: PUBLISHED

Assigner: GoogleCloud

Published: 2026-06-24T13:37:21.872Z

Updated: 2026-06-24T13:53:24.904Z

Reserved: 2026-06-17T15:08:00.562Z

Link: CVE-2026-12537

Vulnrichment

Updated: 2026-06-24T13:52:36.223Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T14:30:17Z

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-12537", "assignerOrgId": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "state": "PUBLISHED", "assignerShortName": "GoogleCloud", "dateReserved": "2026-06-17T15:08:00.562Z", "datePublished": "2026-06-24T13:37:21.872Z", "dateUpdated": "2026-06-24T13:53:24.904Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "shortName": "GoogleCloud", "dateUpdated": "2026-06-24T13:37:21.872Z"}, "title": "Unauthenticated Remote Code Execution in Gemini CLI CI/CD Workflows", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}], "affected": [{"vendor": "Google Cloud", "product": "Gemini CLI", "versions": [{"status": "affected", "version": "0", "lessThan": "0.39.1", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Google Cloud", "product": "run-gemini-cli GitHub Action", "versions": [{"status": "affected", "version": "0", "lessThan": "0.1.22", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper Neutralization used in an OS Command in the container launcher in Google Gemini CLI (versions prior to 0.39.1) and run-gemini-cli GitHub Action (versions prior to 0.1.22) on headless CI platforms allows an unprivileged attacker to achieve pre-sandbox host-level code execution a maliciously crafted .gemini/.env file.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper Neutralization used in an OS Command in the container launcher in Google Gemini CLI (versions prior to 0.39.1) and run-gemini-cli GitHub Action (versions prior to 0.1.22) on headless CI platforms allows an unprivileged attacker to achieve pre-sandbox host-level code execution a maliciously crafted .gemini/.env file."}]}], "references": [{"url": "https://github.com/google-github-actions/run-gemini-cli/security/advisories/GHSA-wpqr-6v78-jr5g"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "CLEAR", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 10, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/U:Clear"}}], "solutions": [{"lang": "en", "value": "Ensure you are using the latest version of gemini cli and follow the best practices guide https://github.com/google-github-actions/run-gemini-cli/blob/main/docs/trust-guidance.md .", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Ensure you are using the latest version of gemini cli and follow the <a href=\"https://github.com/google-github-actions/run-gemini-cli/blob/main/docs/trust-guidance.md\">best practices guide</a>."}]}], "credits": [{"lang": "en", "value": "Elad Meged of Novee Security", "type": "reporter"}, {"lang": "en", "value": "Devansh Batham", "type": "reporter"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-24T13:52:11.782979Z", "id": "CVE-2026-12537", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-24T13:53:24.904Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-12537", "assignerOrgId": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "state": "PUBLISHED", "assignerShortName": "GoogleCloud", "dateReserved": "2026-06-17T15:08:00.562Z", "datePublished": "2026-06-24T13:37:21.872Z", "dateUpdated": "2026-06-24T13:53:24.904Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f45cbf4e-4146-4068-b7e1-655ffc2c548c", "shortName": "GoogleCloud", "dateUpdated": "2026-06-24T13:37:21.872Z"}, "title": "Unauthenticated Remote Code Execution in Gemini CLI CI/CD Workflows", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}], "affected": [{"vendor": "Google Cloud", "product": "Gemini CLI", "versions": [{"status": "affected", "version": "0", "lessThan": "0.39.1", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Google Cloud", "product": "run-gemini-cli GitHub Action", "versions": [{"status": "affected", "version": "0", "lessThan": "0.1.22", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper Neutralization used in an OS Command in the container launcher in Google Gemini CLI (versions prior to 0.39.1) and run-gemini-cli GitHub Action (versions prior to 0.1.22) on headless CI platforms allows an unprivileged attacker to achieve pre-sandbox host-level code execution a maliciously crafted .gemini/.env file.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper Neutralization used in an OS Command in the container launcher in Google Gemini CLI (versions prior to 0.39.1) and run-gemini-cli GitHub Action (versions prior to 0.1.22) on headless CI platforms allows an unprivileged attacker to achieve pre-sandbox host-level code execution a maliciously crafted .gemini/.env file."}]}], "references": [{"url": "https://github.com/google-github-actions/run-gemini-cli/security/advisories/GHSA-wpqr-6v78-jr5g"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "CLEAR", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 10, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/U:Clear"}}], "solutions": [{"lang": "en", "value": "Ensure you are using the latest version of gemini cli and follow the best practices guide https://github.com/google-github-actions/run-gemini-cli/blob/main/docs/trust-guidance.md .", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Ensure you are using the latest version of gemini cli and follow the <a href=\"https://github.com/google-github-actions/run-gemini-cli/blob/main/docs/trust-guidance.md\">best practices guide</a>."}]}], "credits": [{"lang": "en", "value": "Elad Meged of Novee Security", "type": "reporter"}, {"lang": "en", "value": "Devansh Batham", "type": "reporter"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-12537", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-24T13:52:11.782979Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-24T13:52:36.223Z"}}]}}