Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-12537
PUBLISHED
More InfoOfficial Page
Assigner-GoogleCloud
Assigner Org ID-f45cbf4e-4146-4068-b7e1-655ffc2c548c
View Known Exploited Vulnerability (KEV) details
Published At-24 Jun, 2026 | 13:37
Updated At-24 Jun, 2026 | 13:53
Rejected At-
▼CVE Numbering Authority (CNA)
Unauthenticated Remote Code Execution in Gemini CLI CI/CD Workflows

Improper Neutralization used in an OS Command in the container launcher in Google Gemini CLI (versions prior to 0.39.1) and run-gemini-cli GitHub Action (versions prior to 0.1.22) on headless CI platforms allows an unprivileged attacker to achieve pre-sandbox host-level code execution a maliciously crafted .gemini/.env file.

Affected Products
Vendor
Google CloudGoogle Cloud
Product
Gemini CLI
Default Status
unaffected
Versions
Affected
  • From 0 before 0.39.1 (custom)
Vendor
Google CloudGoogle Cloud
Product
run-gemini-cli GitHub Action
Default Status
unaffected
Versions
Affected
  • From 0 before 0.1.22 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-20CWE-20 Improper Input Validation
Type: CWE
CWE ID: CWE-20
Description: CWE-20 Improper Input Validation
Metrics
VersionBase scoreBase severityVector
4.010.0CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/U:Clear
Version: 4.0
Base score: 10.0
Base severity: CRITICAL
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/U:Clear
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-88CAPEC-88 OS Command Injection
CAPEC ID: CAPEC-88
Description: CAPEC-88 OS Command Injection
Solutions

Ensure you are using the latest version of gemini cli and follow the best practices guide https://github.com/google-github-actions/run-gemini-cli/blob/main/docs/trust-guidance.md .

Configurations

Workarounds

Exploits

Credits

reporter
Elad Meged of Novee Security
reporter
Devansh Batham
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/google-github-actions/run-gemini-cli/security/advisories/GHSA-wpqr-6v78-jr5g
N/A
Hyperlink: https://github.com/google-github-actions/run-gemini-cli/security/advisories/GHSA-wpqr-6v78-jr5g
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Details not found