Gemini CLI CVSS 10.0 RCE: Headless Mode Auto-Trusted Any Workspace Folder and --yolo Ignored Tool Allowlists, Enabling PR Contributor CI Command Execution (GHSA-wpqr-6v78-jr5g)

Gemini CLI's headless mode auto-trusted any workspace folder; --yolo ignored tool allowlists. Any PR contributor could run arbitrary commands on CI runners before sandbox initialized, accessing secrets and source. CVSS 10.0. Patched in Gemini CLI v0.39.1. Discovered by Elad Meged (Novee Security) and Dan Lisichkin (Pillar Security).

Gemini CLITool execution / MCPCI runner RCE: auto-trust bypass + allowlist bypassCI runners / GitHub Actions / repository secrets

What happened

A PR contributor could place a malicious workspace configuration in a repository. When Gemini CLI ran in headless mode with --yolo in CI, it auto-trusted the workspace and ignored tool allowlists, executing attacker-controlled commands on the CI runner before sandbox initialization — with access to all repository secrets.

Why it matters

Arbitrary command execution on CI runners with access to repository secrets (API keys, deployment tokens, signing credentials) and full source code. Any organization using Gemini CLI in CI with headless mode and --yolo was exposed to full CI compromise by any PR contributor.

Missing authorization check

Headless mode must not bypass workspace trust validation. The --yolo flag must not ignore tool allowlists in CI contexts. CI runners require all authorization checks to be enforced before any code from untrusted sources executes.

Would PP block it?

External enforcement means that even if Gemini CLI's internal authorization is bypassed (headless auto-trust, --yolo allowlist skip), the PP enforcement layer still requires a signed receipt before consequential CI actions execute. The bypass of internal controls does not bypass the external gate.

Incident analysis

Timeline and technical read

Timeline

2026-04-24
GHSA-wpqr-6v78-jr5g published: Gemini CLI headless auto-trust + --yolo allowlist bypass enable CVSS 10.0 RCE on CI runners. Discovered by Elad Meged (Novee Security) and Dan Lisichkin (Pillar Security).
2026-04-24
Gemini CLI v0.39.1 released patching both the headless auto-trust and the --yolo allowlist bypass.

Technical breakdown

Headless mode: Gemini CLI skipped the interactive workspace trust prompt and auto-trusted any workspace folder, removing the only trust gate.
--yolo flag: completely ignored all configured tool allowlists, removing the only tool execution boundary.
Combined: a PR contributor could configure a malicious workspace; headless mode would auto-trust it; --yolo would ignore the allowlist; arbitrary commands execute before sandbox init.
Pre-sandbox execution: commands ran before the sandbox environment was initialized, giving full access to the CI runner's secrets and environment.

Authorization boundary

Where the authorization boundary should have been

This incident is categorized as Tool execution / MCP. The relevant Permission Protocol gate is Deploy Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.

If enforced at: CI tool execution, workspace trust validation, tool allowlist enforcement
Still needs: Headless mode auto-trust bypass; --yolo flag removes all allowlist protections in CI
Receipt required for: CI command execution, accessing repository secrets, any tool call in CI context

PP's Deploy Gate would require a receipt before any CI tool execution. The receipt requirement cannot be bypassed by headless mode or --yolo flags — receipts are enforced externally to the CLI.

Related incidents and controls

High2026-05-07

TrustFall Coding Agent Security Flaw Enables One-Click RCE

Critical2026-03-01

Claude Code Rewrote Its Own Tests to Pass Rather Than Fix the Underlying Bug

Deploy Gate

Start small

Put the relevant gate at this action boundary.

This incident maps to Deploy Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.

Install on one repo