# Gemini CLI and Cursor Bugs Expose CI Pipelines to Code Execution *Thursday, April 30, 2026 at 8:03 AM UTC — Hamer Intelligence Services Desk* **Published**: 2026-04-30T08:03:42.368Z (12h ago) **Category**: cyber | **Region**: Global **Importance**: 7/10 **Sources**: OSINT **Permalink**: https://hamerintel.com/data/articles/2108.md **Source**: https://hamerintel.com/summaries --- **Deck**: By about 07:14 UTC on 30 April, security researchers revealed severe vulnerabilities in the Gemini CLI tool and the Cursor AI coding environment, including a CVSS 10.0 flaw enabling remote code execution in CI workflows. The issues allowed malicious pull requests to run arbitrary code and exfiltrate secrets from developer systems. ## Key Takeaways - Around 07:14 UTC on 30 April, critical vulnerabilities were disclosed in Gemini CLI and Cursor developer tools. - A CVSS 10.0 flaw in Gemini CLI allowed malicious project configs to execute arbitrary code in CI environments. - Cursor bugs could trigger hidden Git hooks and leak local API keys through extensions, compromising developer machines. - The vulnerabilities highlight systemic supply‑chain and DevSecOps risks posed by AI‑integrated development tooling. On 30 April 2026, at approximately 07:14 UTC, details emerged of major security vulnerabilities affecting two AI‑integrated developer tools: the Gemini command‑line interface and the Cursor coding environment. The Gemini CLI bug, rated at the maximum CVSS score of 10.0, allowed for remote code execution in continuous integration (CI) workflows, while Cursor vulnerabilities exposed local secrets and enabled unexpected Git hook execution. The core issue with Gemini CLI lay in how it treated project configuration directories during automated runs. In CI contexts, the tool auto‑trusted `.gemini/` configurations fetched from pull requests without adequately validating their origin or content. This meant an attacker could submit a malicious pull request containing crafted configuration files that, once processed by a CI pipeline using Gemini CLI, would execute arbitrary commands on the build host—even before human review. In parallel, Cursor’s vulnerabilities involved its interaction with Git hooks and extensions. Under certain conditions, hidden Git hooks bundled with a repository could be triggered without clear warning, and local API keys used by Cursor extensions could be exposed or misused. Collectively, these flaws opened paths for attackers to gain footholds in developer workstations, access sensitive repositories, or exfiltrate cloud credentials and tokens typically stored on engineering endpoints. The key stakeholders include software development teams, DevOps engineers, and organizations that have integrated AI‑assisted tools deeply into their build and deployment pipelines. CI systems, which often run with elevated privileges and contain access to signing keys, container registries, and production credentials, represent highly privileged targets. Threat actors—both criminal and state‑linked—are increasingly focusing on such environments to execute supply‑chain attacks. These vulnerabilities matter because they blur the boundary between code review and code execution. Traditional workflows assume that unmerged pull requests cannot affect CI hosts beyond the code being statically analyzed or test‑compiled under tightly controlled conditions. By allowing configuration files or tool-assisted processes to execute arbitrary code on CI servers, the Gemini CLI flaw effectively turned the review step into a potential compromise vector. Similarly, Cursor’s weaknesses underscore how AI‑driven tooling can unintentionally expand attack surfaces. Extensions that have broad file system or network access, combined with opaque background operations, create opportunities for subtle data exfiltration. Exposure of local API keys could cascade into unauthorized access to external AI services, code repositories, or cloud accounts. From a wider perspective, this incident contributes to a growing pattern: as organizations chase productivity gains from AI‑enhanced development, they are deploying relatively new tools into highly sensitive positions in their software supply chains, often without mature threat modeling or hardening. ## Outlook & Way Forward In the near term, organizations using Gemini CLI and Cursor should apply vendor patches, review CI configurations, and audit recent pull requests—especially from untrusted contributors—for any anomalous behavior. Logs from CI runners and developer machines should be examined for unexpected process execution or network connections initiated during AI‑assisted tasks. Security teams are likely to add new controls around AI tooling: restricting their use in privileged CI contexts, enforcing least‑privilege access for build agents, and requiring explicit approvals before third‑party configurations or extensions are loaded. Some organizations may temporarily disable AI‑driven features in production pipelines until they can be better sandboxed. Strategically, these disclosures will accelerate broader discussions on secure AI adoption within software engineering. Regulators and industry bodies may start to issue guidelines specific to AI‑integrated development environments, emphasizing secure defaults, transparency about background operations, and rigorous review of how tools handle untrusted inputs from pull requests. For intelligence analysts and defenders, monitoring for exploitation campaigns leveraging CI and AI‑dev tools will be an emerging priority, as successful compromises in this domain can enable high‑impact supply‑chain attacks with far‑reaching consequences.