External risk intelligence

Google Gemini CLI Container Launcher Host Code Execution Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-12537

The vulnerability resides in a container launcher used by a CLI tool and a GitHub Action, specifically targeting headless CI platforms. These environments are typically isolated build-time or developer-centric execution contexts, not public-facing network services.

OS Command Injection

Google Gemini Cli

before 0.39.10.40.0before 0.1.22

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory describes a critical vulnerability in a container launcher used by Google Gemini CLI and a related GitHub Action. The issue, if exploited, could allow an unprivileged attacker to execute code on a host system through a specially crafted file when running on certain automated build platforms. The primary concern is confirming if these specific tools and environments are in use within our organization.

  • Allows code execution on host systems.
  • Matters if automated build tools are in use.
  • Confirm relevance and exposure for automated builds.

Attack Path

How an attacker could exploit the issue

An unprivileged attacker could potentially execute arbitrary code on a host system by tricking the container launcher into processing a specially crafted configuration file. This could occur on headless CI platforms where the CLI tool or GitHub Action is used, allowing the attacker to gain control over the host.

  • Requires no prior access.
  • Triggered by a crafted configuration file.
  • Risk of host-level code execution.

Live Threat

Current exploitation, exposure, and threat context

On headless CI platforms, an unprivileged attacker could execute commands on the host system by using a maliciously crafted `.gemini/.env` file, which is supported by the advisory when using specific versions of the Google Gemini CLI or the run-gemini-cli GitHub Action.

  • Pre-sandbox host-level code execution.
  • Maliciously crafted .gemini/.env file.
  • Compromise of CI/CD pipeline.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts container launchers for the Gemini CLI and the `run-gemini-cli` GitHub Action, primarily affecting headless CI platforms. Owners of these CI/CD systems and associated platform teams should prioritize identifying where these tools are deployed, assessing their reachability and business criticality. The initial practical move involves confirming existing deployments, identifying accountable owners, and then planning remediation based on the potential risk to host-level execution within the CI environment.

  • Platform and CI/CD teams own resolution.
  • Verify Gemini CLI and GitHub Action deployments.
  • Plan remediation for identified instances.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Google Gemini CLI?

Google Gemini CLI is a command-line interface tool that enables developers to interact with Gemini models directly from their terminals. It is frequently used in automated workflows, including headless CI platforms where developers integrate the `run-gemini-cli` GitHub Action to automate building, testing, or deployment tasks within software development pipelines.

What is the vulnerability in CVE-2026-12537?

This CVE involves a weakness classified as Improper Neutralization of Special Elements used in an OS Command (CWE-20). In plain English, the container launcher fails to properly sanitize inputs, allowing unauthorized commands to be executed on the underlying host system instead of being safely contained within the intended environment.

How is this vulnerability triggered?

An attacker triggers the vulnerability by introducing a maliciously crafted `.gemini/.env` file into the build environment. The flaw exists specifically within the container launcher component. Importantly, the bug is not triggered by standard usage or legitimate configurations; it requires the presence of this specifically manipulated file to deceive the launcher.

Is my system at risk if it isn't internet-facing?

Halo Surface Signal notes that this vulnerability targets headless CI platforms, which are often isolated. While it is not a traditional public-facing web service, the risk is high if an attacker can introduce the crafted file into your CI pipeline. Even internal build environments should be evaluated, as the vulnerability grants code execution at the host level, bypassing standard sandbox protections.

How should I respond to CVE-2026-12537?

Start by identifying all instances of the Google Gemini CLI and the `run-gemini-cli` GitHub Action within your CI/CD infrastructure. Confirm which versions are currently in use, as the vulnerability affects versions prior to 0.39.1 for the CLI and 0.1.22 for the GitHub Action. Coordinate with your platform and CI/CD teams to schedule updates for all affected tools to eliminate the execution risk.

References