Home > Tech

If you’re coding with Gemini CLI, you need this security update

Researchers discovered that Google's AI coding tool has a serious vulnerability.
 By 
Meera Navlakha
 on 
Share on Facebook Share on Twitter Share on Flipboard
A Google logo in the background, with a phone displaying "Gemini" on the screen.
Credit: CFOTO / Future Publishing / Getty Images.

Cybersecurity researchers say they've identified a major vulnerability within Google's Gemini CLI, an open-source AI agent for coding. Because of the vulnerability, attackers could use prompt injection attacks to steal sensitive data, the researchers claim.

Google released a preview version of Gemini CLI in June, and this isn't the first issue that's been brought to light. A "vibe coder" recently described how Gemini CLI deleted his code by mistake.

Researchers at security firm Tracebit devised an attack that overrode the tool's embedded security controls. Attackers could use an exploit to hide malicious commands, using "a toxic combination of improper validation, prompt injection and misleading UX," as Tracebit explains.

You May Also Like

Sam Cox, Tracebit's founder, says he personally tested the exploit, which ultimately allowed him to execute any command — including destructive ones. "That's exactly why I found this so concerning," Cox told Ars Technica. "The same technique would work for deleting files, a fork bomb or even installing a remote shell giving the attacker remote control of the user's machine."

SEE ALSO: Google Gemini deletes user’s code: ‘I have failed you completely and catastrophically’

After reports of the vulnerability surfaced, Google classified the situation as Priority 1 and Severity 1 on July 23, releasing the improved version two days later.

Those planning to use Gemini CLI should immediately upgrade to its latest version (0.1.14). Additionally, users could use the tool's sandboxing mode for additional security and protection.

Topics Artificial Intelligence Google Gemini

Mashable Image
Meera Navlakha

Meera is a journalist based between London and New York. Her work has been published in The New York Times, Vice, The Independent, Vogue India, W Magazine, and others. She was previously a Culture Reporter at Mashable. 

Mashable Potato
Recommended For You
Apple iOS 26.4 update: No Gemini-powered Siri yet, report suggests
By Alex Perry
Siri promotional art on a laptop screen
Google Chrome unveils Gemini-powered auto-browsing feature
By Matt Binder
Chrome auto browse
Google hit with shocking wrongful death lawsuit over Gemini AI chatbot
By Matt Binder
Google Gemini logo
Spotify said AI has been doing the heavy lifting for its coding since December
By Matt Binder
Spotify and AI
iOS 26.4 available now: All updates, security improvements to know
By Chance Townsend
The Apple logo appears on a mobile phone screen in this photo illustration
Trending on Mashable
NYT Connections hints today: Clues, answers for April 3, 2026
By Mashable Team
Connections game on a smartphone
Wordle today: Answer, hints for April 3, 2026
By Mashable Team
Wordle game on a smartphone
NYT Connections hints today: Clues, answers for April 4, 2026
By Mashable Team
Connections game on a smartphone
Google launches Gemma 4, a new open-source model: How to try it
By Matt Binder
Google Gemma
Wordle today: Answer, hints for April 4, 2026
By Mashable Team
Wordle game on a smartphone
The biggest stories of the day delivered to your inbox.
These newsletters may contain advertising, deals, or affiliate links. By clicking Subscribe, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up. See you at your inbox!