Critical · CVSS 10.0 May 5, 2026 · Pillar Security

Gemini CLI TrustIssues

Prompt Injection to Supply-Chain Compromise in Agentic CI

Pillar Security disclosed GHSA-wpqr-6v78-jr5g on May 5, 2026 — a maximum-severity vulnerability in Google's Gemini CLI that allows an external attacker to escalate from a public GitHub issue to complete supply-chain compromise of a repository. The attack exploits how Gemini CLI's --yolo mode ignores tool allowlists while processing untrusted content, enabling a prompt-injected GitHub issue to extract CI secrets and gain repository write access. No privileged access is required — a public issue is the only entry point.

10.0 CVSS Score

2 Packages Affected

RCE Impact

Patched Status

"A supply-chain attack via indirect prompts injected into a GitHub issue. The agent reads the issue, follows the instructions, and the repository is compromised."

— SecurityWeek coverage of GHSA-wpqr-6v78-jr5g

Members only

Full technical analysis, attack chain, IOCs, and the defensive checklist are available to registered members — free to join.

Primary source: Pillar Security disclosure, May 5, 2026. Google initial advisory (GHSA-wpqr-6v78-jr5g) issued April 24, 2026. Headless workspace-trust vulnerability credited to Novee Security. This advisory is an independent defensive guide produced by Spectreworks AI for educational purposes only and is not affiliated with Pillar Security or Google.