# [CRIT] [GHSA / CRITICAL] CVE-2026-0755: gemini-mcp-tool vulnerable to OS command injection and @file exfiltration via prompt quoting (CVE-2026-0755) **Source:** GitHub Security Advisories **Published:** 2026-06-18 **Article:** https://github.com/advisories/GHSA-4h5r-5jm8-jxjm ## Threat Profile gemini-mcp-tool vulnerable to OS command injection and @file exfiltration via prompt quoting (CVE-2026-0755) Untrusted prompt input could reach the Gemini CLI @file parser, allowing read/exfiltration of arbitrary local files (@/etc/passwd, @~/.ssh/id_rsa, @../../secret). On Windows, unquoted cmd.exe metacharacters could break out into OS command injection. Fix (1.1.6): removed the broken shell:false double-quote wrapping; added assertSafeFileReferences() to contain @file refs to the working di… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-0755` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1204.002** — User Execution: Malicious File - **T1005** — Data from Local System - **T1552.004** — Unsecured Credentials: Private Keys - **T1083** — File and Directory Discovery - **T1059.003** — Command and Scripting Interpreter: Windows Command Shell ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Gemini-MCP-tool @file exfiltration of sensitive paths (CVE-2026-0755) `UC_2_2` · phase: **actions** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE (Processes.parent_process_name IN ("node.exe","npx.exe") OR Processes.parent_process="*gemini-mcp-tool*") AND (Processes.process="*@/etc/passwd*" OR Processes.process="*@~/.ssh/*" OR Processes.process="*@/root/*" OR Processes.process="*@/proc/self/*" OR Processes.process="*@../*" OR Processes.process="*id_rsa*" OR Processes.process="*.aws\\credentials*" OR Processes.process="*@*.env*") BY Processes.dest Processes.user Processes.parent_process Processes.process Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ("node.exe","npx.exe") or InitiatingProcessCommandLine has "gemini-mcp-tool" | where ProcessCommandLine has_any ("@/etc/passwd","@~/.ssh/","@/root/","@/proc/self/","@../","@./../","id_rsa",".aws\\credentials",".env") | where ProcessCommandLine has "@" | project Timestamp, DeviceName, AccountName, ParentImage = InitiatingProcessFolderPath, ParentCmd = InitiatingProcessCommandLine, ChildImage = FolderPath, ChildCmd = ProcessCommandLine, SHA256 | order by Timestamp desc ``` ### Windows cmd.exe metacharacter break-out via gemini-mcp-tool (CVE-2026-0755) `UC_2_3` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.parent_process_name="node.exe" AND Processes.process_name="cmd.exe" AND (Processes.process="*|powershell*" OR Processes.process="*&powershell*" OR Processes.process="*&&powershell*" OR Processes.process="*|curl*" OR Processes.process="*&curl*" OR Processes.process="*|certutil*" OR Processes.process="*&certutil*" OR Processes.process="*|bitsadmin*" OR Processes.process="*&bitsadmin*" OR Processes.process="*|mshta*" OR Processes.process="*&mshta*") BY Processes.dest Processes.user Processes.parent_process Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName =~ "node.exe" | where FileName =~ "cmd.exe" | where ProcessCommandLine has_any ("|powershell","&powershell","&&powershell","|curl","&curl","|certutil","&certutil","|bitsadmin","&bitsadmin","|mshta","&mshta","|wget","&wget") | project Timestamp, DeviceName, AccountName, ParentImage = InitiatingProcessFolderPath, ParentCmd = InitiatingProcessCommandLine, ChildImage = FolderPath, ChildCmd = ProcessCommandLine, SHA256 | order by Timestamp desc ``` ### Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-0755: gemini-mcp-tool vulnerable to OS command inject `UC_2_1` · phase: **install** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-0755: gemini-mcp-tool vulnerable to OS command inject ``` | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_path="*/etc/passwd*") by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ``` **Defender KQL:** ```kql // Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-0755: gemini-mcp-tool vulnerable to OS command inject // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FolderPath has_any ("/etc/passwd")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-0755` ## Why this matters Severity classified as **CRIT** based on: CVE present, 4 use case(s) fired, 6 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.