Maximum Severity in Google's Own Tool
CVSS 10.0 is the maximum possible severity score. It means: low attack complexity, no privileges required, no user interaction needed, complete confidentiality/integrity/availability impact. Cyera Research Labs found exactly this in Google's Gemini CLI — the command-line interface for Google's AI model, used by developers and CI/CD pipelines to automate coding tasks.
The flaw (GHSA-wpqr-6v78-jr5g) was in Gemini CLI's --yolo mode, a convenience flag that skips confirmation prompts for tool execution. In --yolo mode, the tool allowlist — the security boundary that restricts which commands the AI can run — was completely ignored. Any command the AI decided to execute would run with the full privileges of the host process.
A GitHub Issue Becomes an RCE
The attack chain exploited prompt injection through GitHub issues. An attacker creates a GitHub issue containing crafted text that, when processed by Gemini CLI in a CI/CD pipeline, triggers command execution on the build server. The --yolo flag, intended for automation, ensured no human would see a confirmation prompt. The allowlist bypass ensured no security boundary would block the command.
This is the same attack pattern WebPulse documented in the Claude Code GitHub Action vulnerability (June 2026) — a malicious issue title reading CI/CD secrets. The difference: Gemini CLI's flaw scored CVSS 10.0 because it achieved arbitrary command execution, not just secret exfiltration. The build server — with its deployment keys, cloud credentials, and production access — was fully compromised.
The --yolo Problem
The --yolo flag exists because CI/CD pipelines cannot pause for human confirmation. Every AI coding tool that runs in automation faces the same design tension: the tool must act autonomously (that is the point), but autonomous action without security boundaries is arbitrary code execution by another name. Google patched the allowlist bypass, but the architectural pattern — AI tools running unsupervised in CI/CD with broad permissions — is an industry-wide design choice, not a Google-specific bug.
For security teams: audit every AI tool in your CI/CD pipeline. Check which flags disable security boundaries. Check what permissions the tool runs with. The convenience flags that make AI tools useful in automation are the same flags that convert prompt injection into host-level RCE. Google's CVSS 10.0 is patched. The design pattern that enabled it is not.
