Detect CVE-2026-0755: gemini-mcp-tool OS Command Injection and File Exfiltration via Prompt Quoting in Microsoft Sentinel
CVE-2026-0755 is a critical OS command injection vulnerability (CWE-78) in the npm package gemini-mcp-tool versions >= 1.1.2 and < 1.1.6. Attackers can craft malicious prompts containing unescaped shell metacharacters or @file directives to achieve arbitrary OS command execution and local file exfiltration on systems running the affected MCP tool. The vulnerability arises from insufficient sanitization of user-supplied prompt strings before they are passed to underlying shell execution contexts. A public proof-of-concept exists. CVSS score is 9.8 (Critical).
MITRE ATT&CK
- Tactic
- Execution Collection Exfiltration
KQL Detection Query
union DeviceProcessEvents, DeviceFileEvents, DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessCommandLine has_any ("gemini-mcp-tool", "gemini_mcp") or ProcessCommandLine has_any ("gemini-mcp-tool", "gemini_mcp")
| extend SuspiciousShell = ProcessCommandLine has_any ("bash -c", "sh -c", "cmd /c", "powershell -enc", "$(")
| extend FileExfil = ProcessCommandLine matches regex @"@[A-Za-z0-9_\-\./:]{2,}"
| extend OsInjection = ProcessCommandLine matches regex @"[;&|`$(){}\[\]<>]"
| where SuspiciousShell or FileExfil or OsInjection
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine, FileName, SuspiciousShell, FileExfil, OsInjection
| order by Timestamp descDetects process execution chains originating from gemini-mcp-tool that contain shell metacharacters, sub-shell invocations, or @file exfiltration patterns indicative of CVE-2026-0755 exploitation.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate developer usage of gemini-mcp-tool with shell-heavy prompt strings in CI/CD pipelines
- Automated testing frameworks that invoke gemini-mcp-tool with complex arguments containing special characters
- Script-driven MCP integrations that legitimately use @file references to pass large context files
Other platforms for CVE-2026-0755
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-0755 Basic OS Command Injection via Shell Metacharacter in Prompt
Expected signal: Sysmon/auditd execve event showing node spawning sh or bash with -c flag; /tmp/cve_2026_0755_poc.txt created with output of id command
- Test 2CVE-2026-0755 @file Exfiltration of /etc/passwd via Prompt
Expected signal: File read event on /etc/passwd initiated by node process; network connection attempt to Gemini API endpoint (generativelanguage.googleapis.com) carrying file contents
- Test 3CVE-2026-0755 Credential Harvesting via Subshell Injection and Exfiltration
Expected signal: Process events: node -> sh -c '$(...curl...)'; network connection from node process to 127.0.0.1:4444; file read on ~/.ssh/id_rsa by the injected shell command
Unlock Pro Content
Get the full detection package for CVE-2026-0755 including response playbook, investigation guide, and atomic red team tests.