CVE-2026-0755 CrowdStrike LogScale · LogScale

Detect CVE-2026-0755: gemini-mcp-tool OS Command Injection and File Exfiltration via Prompt Quoting in CrowdStrike LogScale

CVE-2026-0755 is a critical OS command injection vulnerability (CWE-78) in the npm package gemini-mcp-tool versions >= 1.1.2 and < 1.1.6. Attackers can craft malicious prompts containing unescaped shell metacharacters or @file directives to achieve arbitrary OS command execution and local file exfiltration on systems running the affected MCP tool. The vulnerability arises from insufficient sanitization of user-supplied prompt strings before they are passed to underlying shell execution contexts. A public proof-of-concept exists. CVSS score is 9.8 (Critical).

MITRE ATT&CK

Tactic
Execution Collection Exfiltration

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=ProcessRollup2
| CommandLine = /gemini-mcp-tool|gemini_mcp/i OR ImageFileName = /node(\.exe)?$/i
| CommandLine = /(@[A-Za-z0-9_.\-\/:]{2,})|([;&|`$(){}\[\]<>])|(bash\s+-c|sh\s+-c|cmd\.exe\s+\/c|powershell\s+-enc)/i
| eval InjectionType = case(
    CommandLine = /@[A-Za-z0-9_.\-\/:]{2,}/, "file_exfiltration",
    CommandLine = /bash\s+-c|sh\s+-c/, "shell_injection",
    CommandLine = /powershell\s+-enc|cmd\.exe\s+\/c/, "windows_shell_injection",
    true(), "metachar_injection"
  )
| table timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, InjectionType
| sort timestamp desc
critical severity high confidence

CrowdStrike Falcon CQL query detecting Node.js processes associated with gemini-mcp-tool that exhibit OS command injection patterns or attempt @file-based local file exfiltration.

Data Sources

CrowdStrike FalconFalcon Insight XDRFalcon Data Replicator

Required Tables

ProcessRollup2

False Positives & Tuning

  • Falcon-protected developer endpoints running gemini-mcp-tool for legitimate AI-assisted development tasks
  • Managed security service providers using gemini-mcp-tool in their analysis pipelines with structured inputs
  • Red team engagements on enrolled endpoints performing authorized exploitation testing

Other platforms for CVE-2026-0755

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2026-0755 Basic OS Command Injection via Shell Metacharacter in Prompt

    Expected signal: Sysmon/auditd execve event showing node spawning sh or bash with -c flag; /tmp/cve_2026_0755_poc.txt created with output of id command

  2. Test 2CVE-2026-0755 @file Exfiltration of /etc/passwd via Prompt

    Expected signal: File read event on /etc/passwd initiated by node process; network connection attempt to Gemini API endpoint (generativelanguage.googleapis.com) carrying file contents

  3. Test 3CVE-2026-0755 Credential Harvesting via Subshell Injection and Exfiltration

    Expected signal: Process events: node -> sh -c '$(...curl...)'; network connection from node process to 127.0.0.1:4444; file read on ~/.ssh/id_rsa by the injected shell command

Last updated: 2026-06-21 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-0755 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0002ExecutionTA0009CollectionTA0010Exfiltration

Related Techniques

T1059Command and Scripting InterpreterT1005Data from Local SystemT1041Exfiltration Over C2 Channel

Same Tactic: Execution

Popular Detections