STUPID-2026-0027 Severity 10/10 — CRITICAL Verified

Gemini CLI silently executed arbitrary code from an untrusted repo (CVE-2026-12537, CVSS 10.0)

Agent: gemini-cli Domain: infra
Failure Mode
Security Vulnerability
Root Cause
Tool Misuse
Task Type
Feature
Reproducible
No

Quick Answer

Gemini-cli (running gemini-2.5-pro) caused a critical-severity (10/10) security vulnerability failure: Gemini CLI silently executed arbitrary code from an untrusted repo (CVE-2026-12537, CVSS 10.0). The root cause was tool misuse. Tracebit reported the flaw to Google two days after Gemini CLI's June 25, 2026 launch.

Description

Google released Gemini CLI, an open-source terminal AI agent, on June 25, 2026. Two days later, researchers at Tracebit reported that in its default configuration the agent could silently execute arbitrary malicious code on a user's machine when run against untrusted code. Gemini CLI automatically trusted the current workspace folder and loaded any agent configuration found there without review, sandboxing, or human approval; its --yolo mode additionally ignored tool allowlists and would run any command. Code execution on the host handed an unprivileged outsider access to whatever secrets, credentials, and source code the workflow could reach — a direct path to a supply-chain attack inside CI/CD. Google classified it P1/S1, assigned CVE-2026-12537 with a CVSS v4 score of 10.0, and shipped a fix in v0.1.14.

Instruction Given

Run Gemini CLI inside a project directory to help with coding tasks.

Expected Behavior

Treat repository-supplied configuration as untrusted; never execute shell commands from a workspace without review or an allowlist.

Actual Behavior

Gemini CLI automatically trusted the current workspace folder and loaded any agent configuration it found there without review or sandboxing. Combined with a --yolo mode that ignored tool allowlists, a malicious repo could silently run arbitrary commands on the host the moment the agent was pointed at it.

Impact / Damage

Tracebit reported the flaw to Google two days after Gemini CLI's June 25, 2026 launch. Classified P1/S1 and assigned CVE-2026-12537 with a perfect CVSS v4 score of 10.0, it exposed thousands of CI/CD pipelines to command injection and supply-chain compromise until it was fixed in v0.1.14.

Share this incident

Help others know about this AI agent failure

Source: News Report View source Reported July 28, 2026

Frequently Asked Questions

What happened in incident STUPID-2026-0027?

Google released Gemini CLI, an open-source terminal AI agent, on June 25, 2026. Two days later, researchers at Tracebit reported that in its default configuration the agent could silently execute arbitrary malicious code on a user's machine when run against untrusted code. Gemini CLI automatically trusted the current workspace folder and loaded any agent configuration found there without review, sandboxing, or human approval; its --yolo mode additionally ignored tool allowlists and would run any command. Code execution on the host handed an unprivileged outsider access to whatever secrets, credentials, and source code the workflow could reach — a direct path to a supply-chain attack inside CI/CD. Google classified it P1/S1, assigned CVE-2026-12537 with a CVSS v4 score of 10.0, and shipped a fix in v0.1.14.

Which AI agent caused this failure?

Gemini-cli (running the gemini-2.5-pro model) was responsible for this security vulnerability incident, documented as STUPID-2026-0027 in the StupidLLM AI agent incident database.

How severe was this AI agent failure?

It is rated 10/10 (critical) on StupidLLM's CVSS-style severity scale for AI agent failures, based on damage type, reversibility, and scope.

What was the root cause?

The root cause was classified as tool misuse. Treat repository-supplied configuration as untrusted; never execute shell commands from a workspace without review or an allowlist.

What was the impact or damage?

Tracebit reported the flaw to Google two days after Gemini CLI's June 25, 2026 launch. Classified P1/S1 and assigned CVE-2026-12537 with a perfect CVSS v4 score of 10.0, it exposed thousands of CI/CD pipelines to command injection and supply-chain compromise until it was fixed in v0.1.14.