CVE-2026-0755: Remote Code Execution and Arbitrary File Exfiltration in gemini-mcp-tool

The open-source gemini-mcp-tool is designed to connect Google Gemini command line utilities to Model Context Protocol (MCP) compatible clients, such as Claude Desktop or Claude Code. Because this tool handles natural language inputs directly from LLM agents or user-supplied prompts, its command execution interfaces represent a high-exposure attack surface.

The vulnerability, cataloged as CVE-2026-0755, presents two distinct security issues that allow unauthenticated remote attackers to perform actions within the security context of the server process. On Windows systems, inadequate validation of command arguments allows for Remote Code Execution (RCE) via system command injection. On macOS and Linux systems, the tool fails to prevent local file references, allowing an attacker to exfiltrate private files from the host platform.

Because the MCP server handles inputs programmatically forwarded from local or remote AI models, exploitation can occur without direct user interaction if an attacker is able to influence the model context. Both issues stem from failures in input parsing and process execution configurations within the application code.

The root cause of the Windows-specific command injection lies in the interaction between Node.js and the underlying command interpreter. Node.js applications running on Windows frequently execute .cmd or .bat shims. Starting with Node.js 22, executing these batch files requires setting the option shell: true to prevent execution failures.

When shell: true is configured, Node.js delegates command parsing to cmd.exe /d /s /c. Under this mode, arguments are joined into a single command line string and re-parsed. In gemini-mcp-tool version 1.1.5 and below, argument sanitization relied on the regex /[\s"]/.test(s) to determine if an argument needed to be enclosed in double quotes. This logic failed to account for command separators such as &, |, <, and > when they were supplied without adjacent spaces or double quotes. Consequently, a string like a&calc was passed to cmd.exe completely unquoted, leading to command separation and execution of the subsequent payload.

The second vector, targeting local files, is rooted in the Gemini CLI's native support for inlining files using the @ prefix. The application attempted to prevent this by wrapping prompt inputs in double quotes when an @ character was detected. However, because Unix-like environments execute commands via execve (with shell: false by default), Node.js passed the literal double-quote characters directly to the binary as part of the argument. The Gemini CLI ignored the outer quotes and parsed the path anyway, bypassing the intended security validation.

The vulnerable code in src/utils/commandExecutor.ts relied on a naive regular expression to determine if a command-line argument required escaping. The mapping function left arguments containing critical shell characters untouched if they did not contain a space or double quote.

// Vulnerable code in gemini-mcp-tool <= 1.1.5
const isWindows = process.platform === "win32";
const safeArgs = isWindows
  ? args.map(a => {
      const s = String(a);
      return /[\s"]/.test(s) ? `"${s.replace(/"/g, '""')}"` : s;
    })
  : args;

The patch introduced in version 1.1.6 implements a rigorous quoting mechanism named quoteForCmd which is applied unconditionally to every argument on Windows platforms. This function escapes pre-existing quotes and backslashes using CommandLineToArgvW rules, rendering active shell characters completely inert.

// Patched code in gemini-mcp-tool >= 1.1.6
function quoteForCmd(arg: string): string {
  const body = String(arg).replace(/(\\*)"/g, '$1$1""').replace(/(\\+)$/, '$1$1');
  return `"${body}"`;
}
 
const isWindows = process.platform === "win32";
const safeArgs = isWindows ? args.map(quoteForCmd) : args;

To address the file exfiltration vulnerability, the developer deleted the literal quote-wrapping logic and implemented an explicit verification function, assertSafeFileReferences, which validates all file-reference patterns against the current working directory.

// Patched path validation in gemini-mcp-tool >= 1.1.6
import * as path from 'path';
const FILE_REF_PATTERN = /@(\S+)/g;
 
export function assertSafeFileReferences(prompt: string, root: string = process.cwd()): void {
  const normalizedRoot = path.resolve(root);
  for (const match of prompt.matchAll(FILE_REF_PATTERN)) {
    const ref = match[1];
    const resolved = path.resolve(normalizedRoot, ref);
    const escapesRoot = resolved !== normalizedRoot && !resolved.startsWith(normalizedRoot + path.sep);
    if (ref.startsWith('~') || escapesRoot) {
      throw new Error(`Refusing @file reference outside the project directory: "@${ref}"`);
    }
  } 
}

This verification ensures that any path resolving outside the specified project root directory, or referencing the home directory via ~, triggers an immediate error and prevents the downstream command execution.

An attacker can exploit the command injection vulnerability by submitting a malicious payload via the MCP interface to functions like ask-gemini. On Windows systems, inputting a prompt such as a&powershell.exe -e <base64> bypasses the character filter because it lacks spaces or double quotes. When Node.js spawns the subprocess, cmd.exe interprets the unquoted ampersand as a command separator, initiating execution of the secondary command.

On Unix-like platforms, an attacker can leverage the @ prefix to read local system configuration files or credential databases. Submitting a prompt such as Summarize: @/etc/passwd to the MCP server triggers this behavior. The application fails to block the file reference because Unix executions use shell: false, passing the input string directly to the Gemini binary.

The Gemini binary opens the specified file and inserts its contents directly into the prompt payload. The Large Language Model (LLM) processes the updated context and returns the contents of /etc/passwd in its response back to the user, effectively exfiltrating sensitive operating system details.

The impact of CVE-2026-0755 is critical because MCP servers typically run in the security context of the active user session or a dedicated service account. An attacker who successfully achieves remote command execution can read, modify, or delete files, install malicious software, or pivoting to other resources on the local network.

If the server is deployed on a developer's workstation to assist with programming tasks, execution of arbitrary commands could expose proprietary code bases, private SSH keys, API access tokens, and browser session cookies. This establishes a direct pathway for supply chain contamination or unauthorized corporate access.

The CVSS v3.0 Base Score of 9.8 reflects the severity of these attack vectors, highlighting that exploitation requires no privileges and no user interaction. The high local file disclosure capabilities allow attackers to target application configuration profiles and system directories to gather intelligence for secondary attacks.

The primary remediation strategy is to upgrade gemini-mcp-tool to version 1.1.6 or higher. This update replaces the flawed sanitization logic with comprehensive Windows command quoting and implements strict directory checks on all file references.

Administrators can apply the update globally using the Node Package Manager:

npm install -g gemini-mcp-tool@latest

If immediate patching is not possible, the following defensive measures are recommended:

1. Restrict access to the MCP server API to localhost or authorized internal network interfaces.
2. Avoid running the MCP server within administrative or root security contexts.
3. Temporarily disable the integration in the client settings, such as claude_desktop_config.json, to prevent command execution routines.