CVE-2026-0755 Sumo Logic CSE · Sumo

Detect CVE-2026-0755: gemini-mcp-tool OS Command Injection and File Exfiltration via Prompt Quoting in Sumo Logic CSE

CVE-2026-0755 is a critical OS command injection vulnerability (CWE-78) in the npm package gemini-mcp-tool versions >= 1.1.2 and < 1.1.6. Attackers can craft malicious prompts containing unescaped shell metacharacters or @file directives to achieve arbitrary OS command execution and local file exfiltration on systems running the affected MCP tool. The vulnerability arises from insufficient sanitization of user-supplied prompt strings before they are passed to underlying shell execution contexts. A public proof-of-concept exists. CVSS score is 9.8 (Critical).

MITRE ATT&CK

Tactic
Execution Collection Exfiltration

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=endpoint/process OR _sourceCategory=os/linux/audit OR _sourceCategory=windows/sysmon
| where process_name matches /node/ or command matches /gemini-mcp-tool/ or command matches /gemini_mcp/
| where command matches /(@[A-Za-z0-9_.\-\/:]{2,})/ or command matches /[;&|`$(){}\[\]<>]/ or command matches /(bash\s+-c|sh\s+-c|cmd\s+\/c|powershell\s+-enc)/
| eval injection_type = if(command matches /(@[A-Za-z0-9_.\-\/:]{2,})/, "file_exfil", if(command matches /(bash\s+-c|sh\s+-c)/, "shell_spawn", "metachar_injection"))
| count by _sourceHost, user, process_name, command, injection_type
| order by _count desc
critical severity medium confidence

Sumo Logic query identifying gemini-mcp-tool processes exhibiting OS command injection or file exfiltration patterns as described in CVE-2026-0755.

Data Sources

Sumo Logic Endpoint SourceLinux AuditWindows SysmonCloud Syslog

Required Tables

endpoint/processos/linux/auditwindows/sysmon

False Positives & Tuning

  • Development environments where gemini-mcp-tool is used interactively with rich text prompts
  • AI agent orchestration platforms passing complex tool arguments containing shell metacharacters
  • Test suites validating gemini-mcp-tool's input handling with edge-case inputs

Other platforms for CVE-2026-0755

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2026-0755 Basic OS Command Injection via Shell Metacharacter in Prompt

    Expected signal: Sysmon/auditd execve event showing node spawning sh or bash with -c flag; /tmp/cve_2026_0755_poc.txt created with output of id command

  2. Test 2CVE-2026-0755 @file Exfiltration of /etc/passwd via Prompt

    Expected signal: File read event on /etc/passwd initiated by node process; network connection attempt to Gemini API endpoint (generativelanguage.googleapis.com) carrying file contents

  3. Test 3CVE-2026-0755 Credential Harvesting via Subshell Injection and Exfiltration

    Expected signal: Process events: node -> sh -c '$(...curl...)'; network connection from node process to 127.0.0.1:4444; file read on ~/.ssh/id_rsa by the injected shell command

Last updated: 2026-06-21 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-0755 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0002ExecutionTA0009CollectionTA0010Exfiltration

Related Techniques

T1059Command and Scripting InterpreterT1005Data from Local SystemT1041Exfiltration Over C2 Channel

Same Tactic: Execution

Popular Detections