CVE-2026-0755

CVE-2026-0755: gemini-mcp-tool OS Command Injection and File Exfiltration via Prompt Quoting

Execution Collection Exfiltration Last updated:

CVE-2026-0755 is a critical OS command injection vulnerability (CWE-78) in the npm package gemini-mcp-tool versions >= 1.1.2 and < 1.1.6. Attackers can craft malicious prompts containing unescaped shell metacharacters or @file directives to achieve arbitrary OS command execution and local file exfiltration on systems running the affected MCP tool. The vulnerability arises from insufficient sanitization of user-supplied prompt strings before they are passed to underlying shell execution contexts. A public proof-of-concept exists. CVSS score is 9.8 (Critical).

Vulnerability Intelligence

Public PoC

Affected Software

Vendor
npm
Product
gemini-mcp-tool
Versions
>= 1.1.2, < 1.1.6

Weakness (CWE)

CWE-78

Timeline

Disclosed
June 18, 2026

CVSS

9.8
Critical (9.0–10)
Read the write-up →

What is CVE-2026-0755 CVE-2026-0755: gemini-mcp-tool OS Command Injection and File Exfiltration via Prompt Quoting?

CVE-2026-0755: gemini-mcp-tool OS Command Injection and File Exfiltration via Prompt Quoting (CVE-2026-0755) maps to the Execution and Collection and Exfiltration tactics — the adversary is trying to run malicious code in MITRE ATT&CK.

This page provides production-ready detection logic for CVE-2026-0755: gemini-mcp-tool OS Command Injection and File Exfiltration via Prompt Quoting, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel DeviceProcessEvents, DeviceFileEvents, DeviceNetworkEvents. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Execution Collection Exfiltration
Microsoft Sentinel / Defender
kusto 
union DeviceProcessEvents, DeviceFileEvents, DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessCommandLine has_any ("gemini-mcp-tool", "gemini_mcp") or ProcessCommandLine has_any ("gemini-mcp-tool", "gemini_mcp")
| extend SuspiciousShell = ProcessCommandLine has_any ("bash -c", "sh -c", "cmd /c", "powershell -enc", "$(")
| extend FileExfil = ProcessCommandLine matches regex @"@[A-Za-z0-9_\-\./:]{2,}"
| extend OsInjection = ProcessCommandLine matches regex @"[;&|`$(){}\[\]<>]"
| where SuspiciousShell or FileExfil or OsInjection
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine, FileName, SuspiciousShell, FileExfil, OsInjection
| order by Timestamp desc

Detects process execution chains originating from gemini-mcp-tool that contain shell metacharacters, sub-shell invocations, or @file exfiltration patterns indicative of CVE-2026-0755 exploitation.

critical severity high confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel DeviceProcessEvents DeviceFileEvents DeviceNetworkEvents

Required Tables

DeviceProcessEvents DeviceFileEvents DeviceNetworkEvents

False Positives

  • Legitimate developer usage of gemini-mcp-tool with shell-heavy prompt strings in CI/CD pipelines
  • Automated testing frameworks that invoke gemini-mcp-tool with complex arguments containing special characters
  • Script-driven MCP integrations that legitimately use @file references to pass large context files

Sigma rule & cross-platform mapping

The detection logic for CVE-2026-0755: gemini-mcp-tool OS Command Injection and File Exfiltration via Prompt Quoting (CVE-2026-0755) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-0755 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-0755

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-21 Research depth: standard
References (4)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2026-0755 Basic OS Command Injection via Shell Metacharacter in Prompt

    Expected signal: Sysmon/auditd execve event showing node spawning sh or bash with -c flag; /tmp/cve_2026_0755_poc.txt created with output of id command

  2. Test 2CVE-2026-0755 @file Exfiltration of /etc/passwd via Prompt

    Expected signal: File read event on /etc/passwd initiated by node process; network connection attempt to Gemini API endpoint (generativelanguage.googleapis.com) carrying file contents

  3. Test 3CVE-2026-0755 Credential Harvesting via Subshell Injection and Exfiltration

    Expected signal: Process events: node -> sh -c '$(...curl...)'; network connection from node process to 127.0.0.1:4444; file read on ~/.ssh/id_rsa by the injected shell command

Unlock Pro Content

Get the full detection package for CVE-2026-0755 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0002ExecutionTA0009CollectionTA0010Exfiltration

Related Techniques

T1059Command and Scripting InterpreterT1005Data from Local SystemT1041Exfiltration Over C2 Channel

Same Tactic: Execution

Popular Detections