CVE-2026-0755 Elastic Security · Elastic

Detect CVE-2026-0755: gemini-mcp-tool OS Command Injection and File Exfiltration via Prompt Quoting in Elastic Security

CVE-2026-0755 is a critical OS command injection vulnerability (CWE-78) in the npm package gemini-mcp-tool versions >= 1.1.2 and < 1.1.6. Attackers can craft malicious prompts containing unescaped shell metacharacters or @file directives to achieve arbitrary OS command execution and local file exfiltration on systems running the affected MCP tool. The vulnerability arises from insufficient sanitization of user-supplied prompt strings before they are passed to underlying shell execution contexts. A public proof-of-concept exists. CVSS score is 9.8 (Critical).

MITRE ATT&CK

Tactic
Execution Collection Exfiltration

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.id with maxspan=2m
  [process where event.type == "start"
   and (process.name == "node" or process.command_line like~ "*gemini-mcp-tool*")
   and process.command_line regex~ ".*(@[A-Za-z0-9_.\-/:]{2,}|[;&|`$(){}\[\]<>]|bash\s+-c|sh\s+-c).*"]
  [process where event.type == "start"
   and process.parent.name == "node"
   and process.name in ("bash", "sh", "cmd.exe", "powershell.exe", "python", "python3", "perl", "ruby", "curl", "wget")]
critical severity high confidence

EQL sequence rule detecting gemini-mcp-tool spawning a shell interpreter or data-exfiltration utility, indicating OS command injection via CVE-2026-0755.

Data Sources

Elastic Endpoint SecurityElastic AuditbeatElastic Winlogbeat

Required Tables

logs-endpoint.events.process*logs-system.security*

False Positives & Tuning

  • Node.js applications legitimately spawning shell processes for unrelated build or utility tasks on the same host
  • Developer workstations where multiple Node.js-based MCP tools run concurrently
  • Automated npm scripts that call shell utilities during the same process tree as gemini-mcp-tool

Other platforms for CVE-2026-0755

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2026-0755 Basic OS Command Injection via Shell Metacharacter in Prompt

    Expected signal: Sysmon/auditd execve event showing node spawning sh or bash with -c flag; /tmp/cve_2026_0755_poc.txt created with output of id command

  2. Test 2CVE-2026-0755 @file Exfiltration of /etc/passwd via Prompt

    Expected signal: File read event on /etc/passwd initiated by node process; network connection attempt to Gemini API endpoint (generativelanguage.googleapis.com) carrying file contents

  3. Test 3CVE-2026-0755 Credential Harvesting via Subshell Injection and Exfiltration

    Expected signal: Process events: node -> sh -c '$(...curl...)'; network connection from node process to 127.0.0.1:4444; file read on ~/.ssh/id_rsa by the injected shell command

Last updated: 2026-06-21 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-0755 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0002ExecutionTA0009CollectionTA0010Exfiltration

Related Techniques

T1059Command and Scripting InterpreterT1005Data from Local SystemT1041Exfiltration Over C2 Channel

Same Tactic: Execution

Popular Detections