Detect CVE-2026-0755: gemini-mcp-tool OS Command Injection and File Exfiltration via Prompt Quoting in Google Chronicle
CVE-2026-0755 is a critical OS command injection vulnerability (CWE-78) in the npm package gemini-mcp-tool versions >= 1.1.2 and < 1.1.6. Attackers can craft malicious prompts containing unescaped shell metacharacters or @file directives to achieve arbitrary OS command execution and local file exfiltration on systems running the affected MCP tool. The vulnerability arises from insufficient sanitization of user-supplied prompt strings before they are passed to underlying shell execution contexts. A public proof-of-concept exists. CVSS score is 9.8 (Critical).
MITRE ATT&CK
- Tactic
- Execution Collection Exfiltration
YARA-L Detection Query
rule cve_2026_0755_gemini_mcp_injection {
meta:
author = "df00tech detection engineering"
description = "Detects CVE-2026-0755 OS command injection in gemini-mcp-tool"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://github.com/jamubc/gemini-mcp-tool/security/advisories/GHSA-4h5r-5jm8-jxjm"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
(
$e.principal.process.file.full_path = /node/ nocase or
$e.principal.process.command_line = /gemini-mcp-tool/ nocase or
$e.principal.process.command_line = /gemini_mcp/ nocase
)
(
$e.principal.process.command_line = /@[A-Za-z0-9_.\-\/:]{2,}/ or
$e.principal.process.command_line = /[;&|`$(){}\[\]<>]/ or
$e.principal.process.command_line = /bash\s+-c|sh\s+-c|cmd\.exe\s+\/c/ nocase
)
condition:
$e
}Chronicle YARA-L rule detecting process launch events from gemini-mcp-tool with OS command injection or file exfiltration patterns in command-line arguments.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate AI assistant workflows using @file references to include large documents in gemini-mcp-tool prompts
- Developer tools built on top of gemini-mcp-tool that construct complex shell-like prompt strings programmatically
- Security research workstations deliberately testing CVE-2026-0755 in isolated environments
Other platforms for CVE-2026-0755
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-0755 Basic OS Command Injection via Shell Metacharacter in Prompt
Expected signal: Sysmon/auditd execve event showing node spawning sh or bash with -c flag; /tmp/cve_2026_0755_poc.txt created with output of id command
- Test 2CVE-2026-0755 @file Exfiltration of /etc/passwd via Prompt
Expected signal: File read event on /etc/passwd initiated by node process; network connection attempt to Gemini API endpoint (generativelanguage.googleapis.com) carrying file contents
- Test 3CVE-2026-0755 Credential Harvesting via Subshell Injection and Exfiltration
Expected signal: Process events: node -> sh -c '$(...curl...)'; network connection from node process to 127.0.0.1:4444; file read on ~/.ssh/id_rsa by the injected shell command
Unlock Pro Content
Get the full detection package for CVE-2026-0755 including response playbook, investigation guide, and atomic red team tests.