Google and Cursor Patch Critical RCE Flaws in AI Tools and CI/CD Workflows

TL;DR: Google has patched a CVSS 10.0 vulnerability in the Gemini CLI that allowed unprivileged Remote Code Execution (RCE) in CI/CD environments. Simultaneously, the Cursor IDE fixed a sandbox escape flaw (CVE-2026-26268) triggered by malicious Git hooks through AI prompt injection. If you use Gemini in your GitHub Actions or develop using Cursor, you must update your tools immediately to prevent host system compromise.

---

The Gemini CLI Critical Flaw: CVSS 10.0 Without a CVE

Google recently addressed a maximum-severity security hole in its Gemini command-line interface tools. The vulnerability affected the @google/gemini-cli npm package and the google-github-actions/run-gemini-cli GitHub Actions workflow.

According to a report by Novee Security, the flaw allowed an unprivileged external attacker to force malicious content to load as a Gemini configuration. This bypassed the security sandbox entirely because the command execution occurred directly on the host system before the agent’s sandbox could even initialize.

What is a Sandbox? In cybersecurity, a sandbox is an isolated environment where code is executed so that it cannot affect the rest of the system. Bypassing this means the attacker gains direct access to the machine running the code.

Surprisingly, while the flaw carries a perfect CVSS score of 10.0, it does not have a formal CVE identifier. The impact is specifically limited to workflows using Gemini CLI in "headless mode" (automated environments without a user interface).

How the Gemini Attack Works in CI/CD

In versions prior to the patch, Gemini CLI running in CI environments automatically trusted workspace folders. This meant it would automatically load configuration and environment variables from the local directory.

If a developer used Gemini CLI to review untrusted pull requests, an attacker could include a malicious .gemini/ directory in their PR. The tool would load these malicious environment variables, leading to Remote Code Execution (RCE) on the runner executing the workflow. This essentially turns a standard CI/CD pipeline into a path for supply-chain attacks.

Furthermore, when running in --yolo mode (an auto-approve mode), Gemini CLI previously ignored tool allowlists, allowing untrusted inputs—such as those from a GitHub issue—to execute dangerous commands like run_shell_command without user confirmation.

Securing Cursor IDE: Sandbox Escapes and Git Hooks

Cursor, the popular AI-powered IDE, was also found to be vulnerable. Researchers Assaf Levkovich and Novee Security identified CVE-2026-26268 (CVSS 8.1), a sandbox escape that leverages how AI agents interact with Git.

The attack follows this sequence:

1. A user clones a repository containing a hidden, malicious "bare" Git repository with a post-checkout hook.
2. The user asks the Cursor AI agent an innocent question, like "explain this code."
3. The AI agent, following instructions in a file like AGENTS.md, performs a git checkout.
4. The malicious hook triggers automatically, executing code on the developer’s machine outside the AI's reasoning chain and the user's view.

What is a Git Hook? Git hooks are scripts that Git executes before or after events such as committing or checking out code. They are powerful but can be dangerous if hidden in untrusted repositories.

The "CursorJacking" Risk

A second, currently unpatched vulnerability in Cursor was identified by Roy Paz at LayerX. Dubbed "CursorJacking" (CVSS 8.2), this flaw involves a lack of access control boundaries.

Any installed extension can currently access Cursor’s local SQLite database, which stores sensitive API keys and session tokens. If a developer installs a rogue extension, that extension could steal credentials, leading to account takeover or financial loss through unauthorized API usage. Cursor has noted that this risk is limited to local file system access granted to extensions, reinforcing the need for caution when installing third-party tools.

Required Actions for Moroccan Practitioners

To secure your development environments and CI/CD pipelines, follow these mitigation steps immediately:

For Google Gemini CLI Users:

• Update npm package: Move to @google/gemini-cli version 0.39.1 or 0.40.0-preview.3 and above.
• Update GitHub Actions: Use google-github-actions/run-gemini-cli version 0.1.22 or later.
• Configuration: Only set GEMINI_TRUST_WORKSPACE: 'true' if you are sure the inputs (like PRs) come from trusted collaborators. Otherwise, follow Google's hardening guidance for untrusted directory contents.

For Cursor IDE Users:

• Update Software: Ensure you are running Cursor version 2.5 or later to fix the Git hook RCE.
• Extension Audit: Only download and install IDE extensions from trusted sources to prevent the "CursorJacking" credential theft.
• Workflow Review: Be cautious when asking AI agents to interact with folders or cloned repositories from unknown sources.

Conclusion

As AI agents become deeply integrated into our IDEs and deployment pipelines, the attack surface for developers is shifting. These vulnerabilities highlight that traditional security boundaries—like sandboxes and local databases—must be redesigned to account for autonomous AI actions. For the Moroccan tech community, staying updated is the first line of defense against these high-velocity threats.

Source: The Hacker News - Google Fixes CVSS 10 Gemini CLI CI RCE and Cursor Flaws