CVE-2026-0755 IBM QRadar · QRadar

Detect CVE-2026-0755: gemini-mcp-tool OS Command Injection and File Exfiltration via Prompt Quoting in IBM QRadar

CVE-2026-0755 is a critical OS command injection vulnerability (CWE-78) in the npm package gemini-mcp-tool versions >= 1.1.2 and < 1.1.6. Attackers can craft malicious prompts containing unescaped shell metacharacters or @file directives to achieve arbitrary OS command execution and local file exfiltration on systems running the affected MCP tool. The vulnerability arises from insufficient sanitization of user-supplied prompt strings before they are passed to underlying shell execution contexts. A public proof-of-concept exists. CVSS score is 9.8 (Critical).

MITRE ATT&CK

Tactic
Execution Collection Exfiltration

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS 'Event Time', sourceip, username, "Process Name", "Command", QIDNAME(qid) AS 'Event Name'
FROM events
WHERE ("Process Name" ILIKE '%node%' OR "Command" ILIKE '%gemini-mcp-tool%' OR "Command" ILIKE '%gemini_mcp%')
AND ("Command" ILIKE '%bash -c%' OR "Command" ILIKE '%sh -c%' OR "Command" ILIKE '%cmd /c%' OR "Command" LIKE '%@/%' OR "Command" LIKE '%@C:%' OR "Command" RLIKE '.*[;&|`$(){}\[\]<>].*')
AND LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Linux OS', 'SyslogNG Generic', 'Sysmon')
LAST 7 DAYS
ORDER BY starttime DESC
critical severity medium confidence

QRadar AQL query detecting gemini-mcp-tool command-line activity containing OS injection metacharacters or @file exfiltration patterns, correlated against endpoint log sources.

Data Sources

QRadar SIEMWindows Security Event LogLinux SyslogSysmon for Linux

Required Tables

events

False Positives & Tuning

  • Legitimate gemini-mcp-tool invocations from developer machines using complex prompts with natural punctuation
  • Automated security tooling that wraps gemini-mcp-tool in shell scripts with metacharacter-heavy invocations
  • Batch AI workloads sending file references via @file syntax for valid summarization tasks

Other platforms for CVE-2026-0755

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2026-0755 Basic OS Command Injection via Shell Metacharacter in Prompt

    Expected signal: Sysmon/auditd execve event showing node spawning sh or bash with -c flag; /tmp/cve_2026_0755_poc.txt created with output of id command

  2. Test 2CVE-2026-0755 @file Exfiltration of /etc/passwd via Prompt

    Expected signal: File read event on /etc/passwd initiated by node process; network connection attempt to Gemini API endpoint (generativelanguage.googleapis.com) carrying file contents

  3. Test 3CVE-2026-0755 Credential Harvesting via Subshell Injection and Exfiltration

    Expected signal: Process events: node -> sh -c '$(...curl...)'; network connection from node process to 127.0.0.1:4444; file read on ~/.ssh/id_rsa by the injected shell command

Last updated: 2026-06-21 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-0755 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0002ExecutionTA0009CollectionTA0010Exfiltration

Related Techniques

T1059Command and Scripting InterpreterT1005Data from Local SystemT1041Exfiltration Over C2 Channel

Same Tactic: Execution

Popular Detections