Google's Antigravity IDE Vulnerability Allows Remote Code Execution via Prompt Injection

Severity: High (Score: 70.5)

Sources: nvd.nist.gov, Csoonline, Cyberscoop, www.pillar.security, Darkreading

Summary

Researchers at Pillar Security discovered a critical prompt injection vulnerability in Google's Antigravity IDE, which allows for remote code execution (RCE) by exploiting insufficient input sanitization in the find_by_name tool's Pattern parameter. This flaw enables attackers to inject command-line flags into the underlying fd utility, effectively converting file operations into arbitrary code execution. The vulnerability circumvents Antigravity's Secure Mode, which is intended to restrict network access and enforce sandboxing of command operations. The issue was reported to Google on January 6, 2026, and was patched on February 28, 2026, with Pillar Security receiving a bounty for their discovery. The vulnerability is particularly concerning as it can be triggered by seemingly benign inputs, making it a significant threat to users relying on the IDE for secure development. This incident highlights the growing risks associated with agentic AI tools and the need for stricter validation of input parameters. Key Points: • A prompt injection vulnerability in Google's Antigravity IDE allows for remote code execution. • The flaw bypasses the IDE's Secure Mode, which is intended to enforce security controls. • Pillar Security reported the vulnerability in January 2026, and it was patched by February 2026.

Key Entities

• Command Injection (attack_type)
• Prompt Injection (attack_type)
• Google (company)
• Pillar Security (company)
• Cursor (company)
• CVE-2026-22708 (cve)
• CWE-78 - OS Command Injection (cwe)
• Cwe-79 - Cross-site Scripting (xss) (cwe)
• T1059.004 - Unix Shell (mitre_attack)
• T1059 - Command and Scripting Interpreter (mitre_attack)
• AngularJS (platform)
• Antigravity (platform)
• Atlas Browser (platform)
• Google Gemini AI (platform)
• Fd (tool)
• Find_my_name (tool)