Critical RCE flaws in Gemini CLI and Cursor expose AI coding tools to silent takeover

Google has patched a maximum-severity CVSS 10 remote code execution flaw in the Gemini CLI’s CI integration, alongside a parallel set of vulnerabilities in Cursor that allow attackers to execute arbitrary code on developer machines. The Gemini bug sits in the automation path where the CLI runs inside CI pipelines, meaning a malicious input handled by the agent could escape into the runner and execute with whatever privileges the pipeline holds — typically broad access to source, secrets, and deployment credentials.

The Cursor flaws follow the same pattern that has dogged the agentic coding category: untrusted content reaching a tool-using LLM gets interpreted as instructions, and the tool surface (shell, file write, package install) turns prompt injection into code execution. Both products sit deep inside developer trust boundaries, with access to repositories, tokens, and local filesystems, which makes a single successful injection equivalent to a full workstation or CI compromise.

The pattern matters more than the individual CVEs. As AI coding assistants accumulate tool permissions and CI-resident agents become normal, the blast radius of a prompt-injection bug now matches that of a classic RCE — and the supply-chain exposure scales with every repository the agent has touched.