CVE-2026-0755 Splunk · SPL

Detect CVE-2026-0755: gemini-mcp-tool OS Command Injection and File Exfiltration via Prompt Quoting in Splunk

CVE-2026-0755 is a critical OS command injection vulnerability (CWE-78) in the npm package gemini-mcp-tool versions >= 1.1.2 and < 1.1.6. Attackers can craft malicious prompts containing unescaped shell metacharacters or @file directives to achieve arbitrary OS command execution and local file exfiltration on systems running the affected MCP tool. The vulnerability arises from insufficient sanitization of user-supplied prompt strings before they are passed to underlying shell execution contexts. A public proof-of-concept exists. CVSS score is 9.8 (Critical).

MITRE ATT&CK

Tactic
Execution Collection Exfiltration

SPL Detection Query

Splunk (SPL)
spl 
index=* (sourcetype=sysmon OR sourcetype=auditd OR sourcetype=osquery:results OR sourcetype=endpoint)
| search (process_name="node" OR process_exec="*gemini-mcp*" OR cmdline="*gemini-mcp-tool*")
| eval suspicious_shell=if(match(cmdline, "(bash\s+-c|sh\s+-c|cmd\s+/c|powershell\s+-enc|\$\()"), 1, 0)
| eval file_exfil=if(match(cmdline, "@[A-Za-z0-9_.\-/:]{2,}"), 1, 0)
| eval os_injection=if(match(cmdline, "[;&|`\$(){}\[\]<>]"), 1, 0)
| where suspicious_shell=1 OR file_exfil=1 OR os_injection=1
| table _time host user process_name cmdline parent_process suspicious_shell file_exfil os_injection
| sort -_time
critical severity high confidence

Detects suspicious command-line patterns from gemini-mcp-tool processes including shell injection metacharacters and @file exfiltration attempts consistent with CVE-2026-0755.

Data Sources

SysmonauditdosquerySplunk Endpoint

Required Sourcetypes

sysmonauditdosquery:resultsendpoint

False Positives & Tuning

  • Developers running gemini-mcp-tool interactively with complex natural language prompts containing punctuation
  • CI/CD pipelines that pass shell scripts as prompt content to the tool for summarization
  • Security researchers using gemini-mcp-tool to analyze malware samples containing shell metacharacters

Other platforms for CVE-2026-0755

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2026-0755 Basic OS Command Injection via Shell Metacharacter in Prompt

    Expected signal: Sysmon/auditd execve event showing node spawning sh or bash with -c flag; /tmp/cve_2026_0755_poc.txt created with output of id command

  2. Test 2CVE-2026-0755 @file Exfiltration of /etc/passwd via Prompt

    Expected signal: File read event on /etc/passwd initiated by node process; network connection attempt to Gemini API endpoint (generativelanguage.googleapis.com) carrying file contents

  3. Test 3CVE-2026-0755 Credential Harvesting via Subshell Injection and Exfiltration

    Expected signal: Process events: node -> sh -c '$(...curl...)'; network connection from node process to 127.0.0.1:4444; file read on ~/.ssh/id_rsa by the injected shell command

Last updated: 2026-06-21 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-0755 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0002ExecutionTA0009CollectionTA0010Exfiltration

Related Techniques

T1059Command and Scripting InterpreterT1005Data from Local SystemT1041Exfiltration Over C2 Channel

Same Tactic: Execution

Popular Detections