The loud part of last week's Gemini CLI advisory was the CVSS 10.0 score. The more useful part was where the bug lived.
It was not some exotic model jailbreak. It was trust. Gemini CLI, in headless CI mode, could treat the workspace as trusted early enough to load configuration from repository-controlled files. Cursor, in a separate advisory, let a malicious agent write .git settings and hooks that Git would later execute automatically. Different products, different mechanics, same failure: the dangerous boundary moved from "what code did the model generate?" to "what did the tool trust before anyone noticed?"
That is why the Reddit thread on r/devops mattered. It was not just gawking at another AI security headline. It was developers noticing that agentic tooling is dragging old supply chain problems into new places: PR review bots, issue triage jobs, local IDE agents, and any workflow where a tool reads repository state and then acts with contributor-level privileges.
What is verified
GitHub's reviewed advisory for @google/gemini-cli and google-github-actions/run-gemini-cli says versions before 0.39.1 could automatically trust workspace folders in headless mode. In a CI workflow that processes untrusted pull requests or other untrusted directory contents, that meant Gemini CLI could load configuration and environment variables from the workspace before an operator explicitly trusted it. GitHub scores the issue at CVSS 10.0 and says the impact affects all Gemini CLI GitHub Actions until users review their workflows and update trust handling.
The same advisory documents a second hardening change. Under --yolo, older Gemini CLI versions ignored fine-grained tool allowlists in ~/.gemini/settings.json. A workflow that thought it had allowed only safe shell commands could, in practice, allow much more. GitHub says that combination could lead to remote code execution through prompt injection when Gemini CLI ran on untrusted inputs. The patches landed in @google/gemini-cli 0.39.1 and 0.40.0-preview.3, plus google-github-actions/run-gemini-cli 0.1.22.
Cursor's repository advisory is narrower but points at the same design pressure. Cursor says versions before 2.5 allowed sandbox escape through writes to .git configuration. The advisory says a malicious agent, including one steered by prompt injection, could write improperly protected Git settings such as hooks. Git would then execute those commands automatically later, with no extra user interaction required. Cursor lists the issue as CVE-2026-26268, severity High, fixed in version 2.5.
Novee Security's writeups add useful context to both cases. Its Gemini post argues the flaw created an infrastructure-level execution path in CI before the agent's sandbox even started. Its Cursor post makes a different but related point: once an AI coding agent autonomously runs Git operations inside an untrusted repository, old Git behavior stops being background plumbing and becomes part of the attack surface.
The real issue is earlier than the prompt
People talk about prompt injection as if the prompt is the first place trust breaks. These advisories show that the more interesting failures can happen earlier.
A repository is not just source code. It is also config, hooks, nested repos, workspace state, issue text, CI glue, and tool-specific directories. Once an agent is allowed to read that environment and act on it automatically, repository metadata starts behaving like executable policy.
That is the part many AI tool pitches still blur. "The agent is sandboxed" sounds reassuring, but it misses the order of operations. If a tool loads untrusted configuration before the sandbox boundary is enforced, or if it can plant commands into Git-managed state that another trusted component will execute later, the compromise path does not need to look like a classic sandbox break at all. The bad decision already happened.
Gemini's case is the cleaner example because GitHub's advisory spells it out. The risky step was automatic workspace trust in headless mode, especially in workflows that review outside contributions. Cursor's case is more about feature interaction: Git hooks and .git state were not invented for AI agents, but autonomous Git usage makes those mechanics much easier to trip at scale.
Why this keeps showing up in developer tools
AI coding tools inherit too much ambient authority.
In CI, they sit next to repo secrets, package credentials, cloud tokens, and write access to branches or artifacts. On laptops, they sit inside editors that routinely clone random repositories, inspect project files, and run shell commands. The model is the flashy part, but the blast radius comes from everything around it.
That is why the r/devops reaction was more grounded than a lot of broader AI discourse. One commenter asked why anyone would run an agent in CI at all. Others answered with the obvious use cases: code review, security review, lint and test cleanup, migrations. That exchange is the story. Teams are already putting these tools into automation paths that touch untrusted content. The question is no longer whether that pattern exists. It is whether vendors are designing for it honestly.
The weak Hacker News pickup matters too. At research time, the closest HN discussion had only a few points and no comments. This is a serious class of bug that still has not fully entered mainstream developer instinct. That gap gives teams a false sense that the problem is theoretical or niche.
What remains uncertain
A few boundaries need to stay clean.
First, the Gemini advisory is clear about the conditions, but not every workflow using Gemini CLI was equally exposed. The risk depends on headless operation, whether the workflow handled untrusted directory contents, and how tool permissions were configured. "All Gemini CLI GitHub Actions" should be read as "all need review," not "all were equally exploitable in the wild."
Second, Gemini's advisory has a GHSA and CVSS score but no CVE ID. That does not weaken the issue, but it is worth stating plainly because third-party coverage often compresses all identifiers into one security blob.
Third, Cursor's official advisory is older than the current Reddit discussion. Cursor published CVE-2026-26268 on February 13, and Novee published its detailed writeup on April 28. So the fresh part is not the existence of the Cursor bug itself. The fresh part is the way developers are now grouping it with Gemini as the same broader trust-boundary problem.
Finally, these are not identical bugs and should not be flattened into one incident. Gemini involved workspace trust and tool allowlisting in CI and headless use. Cursor involved writes to Git state and later hook execution. The common lesson is about trust placement, not identical exploit chains.
Practical takeaways
If you run AI coding tools on untrusted pull requests, issues, or cloned repositories, treat repository-controlled config as hostile until proven otherwise.
If you use Gemini CLI in CI, upgrade to patched versions and review where GEMINI_TRUST_WORKSPACE is set. If the workflow touches untrusted content, the old "just trust the folder and keep moving" model is gone for a reason.
If you use agentic IDE workflows, audit what the tool can write inside .git, what Git operations it can trigger, and whether nested repository tricks or hooks can survive normal repo hygiene.
More broadly, stop asking only whether the model can be tricked. Ask what gets trusted before the model even starts reasoning, and what nearby component will quietly execute on the model's behalf later.
That is where the next ugly bug is likely to land.
Sources
- Reddit r/devops hot thread: "AI coding tools are now a CVSS 10.0 CI/CD supply chain vector - patch Gemini CLI and update Cursor"
https://old.reddit.com/r/devops/comments/1t26rnm/ai_coding_tools_are_now_a_cvss_100_cicd_supply/
- GitHub advisory API for Gemini CLI / run-gemini-cli: GHSA-wpqr-6v78-jr5g
https://api.github.com/advisories/GHSA-wpqr-6v78-jr5g
- GitHub advisory page for Gemini CLI / run-gemini-cli
https://github.com/advisories/GHSA-wpqr-6v78-jr5g
- Cursor repository advisory: GHSA-8pcm-8jpx-hv8r / CVE-2026-26268
https://github.com/cursor/cursor/security/advisories/GHSA-8pcm-8jpx-hv8r
- Novee Security: "A CVSS 10.0 in Gemini CLI: How Agentic Workflows Are Reshaping Supply Chain Risk"
https://novee.security/blog/google-gemini-cli-rce-vulnerability-cvss-10-critical-security-advisory/
- Novee Security: "Your AI Coding Agent Will Run This Exploit For You: How We Found a High-Severity CVE in Cursor"
https://novee.security/blog/cursor-ide-cve-2026-26268-git-hook-arbitrary-code-execution/
- Hacker News discussion: "Whose Trust Is It Anyway? Configuration Boundaries in AI Development Tools"
https://news.ycombinator.com/item?id=47963671