Critical Gemini CLI Vulnerability Allows Arbitrary Code Execution

A critical vulnerability in Google’s Gemini CLI, tracked as CVE-2026-12537, has been disclosed, enabling attackers to execute arbitrary code in CI/CD environments, particularly within GitHub Actions workflows. This flaw affects versions of @google/gemini-cli prior to 0.39.1 and 0.40.0-preview.3, as well as the google-github-actions/run-gemini-cli. The vulnerability poses a significant risk to headless CI platforms, allowing potential host-level code execution when processing untrusted workspaces. The issue was published on June 24, 2026, and is rated at the maximum severity under CVSS v4. Organizations using affected versions are urged to take immediate action to mitigate the risk.

Key Points: • CVE-2026-12537 allows arbitrary code execution in specific CI/CD environments. • Affected versions include @google/gemini-cli before 0.39.1 and 0.40.0-preview.3. • The vulnerability was published on June 24, 2026, and is rated critical under CVSS v4.