Cybersecurity researchers say they’ve identified a major vulnerability within Google’s Gemini CLI, an open-source AI agent for coding. Because of the vulnerability, attackers could use prompt injection attacks to steal sensitive data, the researchers claim.

Google released a preview version of Gemini CLI in June, and this isn’t the first issue that’s been brought to light. A “vibe coder” recently described how Gemini CLI deleted his code by mistake.

Researchers at security firm Tracebit devised an attack that overrode the tool’s embedded security controls. Attackers could use an exploit to hide malicious commands, using “a toxic combination of improper validation, prompt injection and misleading UX,” as Tracebit explains.

Sam Cox, Tracebit’s founder, says he personally tested the exploit, which ultimately allowed him to execute any command — including destructive ones. “That’s exactly why I found this so concerning,” Cox told Ars Technica. “The same technique would work for deleting files, a fork bomb or even installing a remote shell giving the attacker remote control of the user’s machine.”

After reports of the vulnerability surfaced, Google classified the situation as Priority 1 and Severity 1 on July 23, releasing the improved version two days later.

Those planning to use Gemini CLI should immediately upgrade to its latest version (0.1.14). Additionally, users could use the tool’s sandboxing mode for additional security and protection.