CVE-2026-0755: Critical Zero-Auth RCE Flaw in gemini-mcp-tool Exposes Systems to Full Remote Takeover

Aegiron 8 mins0

CVE-2026-0755 – Command Injection in gemini-mcp-tool (Unauthenticated RCE)

Overview

CVE ID: CVE-2026-0755
Affected component: gemini-mcp-toolexecAsync functionality
Vulnerability type: OS Command Injection
Impact: Unauthenticated Remote Code Execution
Severity: Critical
CVSS v3.1 Score: 9.8 (Critical)
Attack vector: Network
Authentication required: None
User interaction: None
Exploitability: High
Exploit maturity: Functional exploitation is considered feasible; proof-of-concepts exist in private and educational security research circles

This vulnerability allows a remote attacker to execute arbitrary operating system commands on a host running gemini-mcp-tool by abusing insufficient input validation in the execAsync command execution flow.

What went wrong

The gemini-mcp-tool includes a feature designed to execute system-level commands asynchronously. User-controlled input was passed into this execution logic without being strictly validated, escaped, or restricted. As a result, specially crafted input could be interpreted by the underlying shell rather than treated as plain data.

Because the affected endpoint is typically exposed without authentication, this weakness can be abused remotely. When exploited, arbitrary commands are executed with the same privileges as the service itself. In environments where the service runs with elevated permissions, full system compromise becomes possible.

How this vulnerability can be exploited

Exploitation occurs when external input reaches the execAsync execution path and is interpreted by the operating system shell. By injecting shell control characters or chaining commands, an attacker can cause unintended command execution.

No authentication is required, and exploitation does not depend on user interaction. Once a malicious request is processed, the system executes attacker-controlled instructions, enabling actions such as:

  • File creation, modification, or deletion
  • Credential harvesting from the host
  • Establishing persistence mechanisms
  • Network reconnaissance or lateral movement

This is a classic command injection scenario, but the lack of access controls significantly increases the risk.

Proof of Concept (PoC) status

  • Educational PoC availability: Yes (non-public, shared among security researchers for validation and defensive testing)
  • Public exploit kits: Not officially published at the time of writing
  • Weaponization risk: High, due to simplicity of exploitation

PoCs demonstrate that arbitrary commands can be executed by manipulating input parameters sent to the vulnerable execution interface. These PoCs are intended strictly for defensive validation and security testing in isolated lab environments.

MITRE mappings

CWE Mapping

  • CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)

MITRE ATT&CK Techniques

  • T1190 – Exploit Public-Facing Application
  • T1059 – Command and Scripting Interpreter
  • T1105 – Ingress Tool Transfer (possible post-exploitation)
  • T1547 – Boot or Logon Autostart Execution (possible persistence)

Detection guidance

Recommended log sources

To detect exploitation attempts or successful compromise, the following log sources should be enabled and monitored:

  • Application logs from gemini-mcp-tool
  • Operating system process creation logs
  • EDR / XDR telemetry
  • Web server or reverse proxy logs (if used)
  • Network flow and outbound connection logs
  • Container runtime or Kubernetes audit logs (if containerized)

Behavioral indicators of exploitation

The following behaviors should be considered suspicious and investigated:

  • Unexpected child processes spawned by the gemini-mcp-tool service
  • Invocation of command interpreters such as bash, sh, cmd.exe, or powershell
  • Execution of system utilities not normally required by the service
  • Outbound network connections initiated immediately after command execution requests
  • Creation or modification of system files, scheduled tasks, or startup scripts
  • Requests to execution-related endpoints containing unusual characters or abnormally long input values

Detection logic

Process-based detection:

  • Alert when the gemini-mcp-tool process spawns a shell or scripting engine.
  • Alert when the service launches network utilities or file-management tools unexpectedly.

Web/API detection:

  • Monitor requests targeting command execution endpoints.
  • Flag requests containing shell metacharacters or encoded input patterns.
  • Rate-limit or temporarily block repeated execution requests from untrusted sources.

These detections should be tuned to reduce false positives and aligned with normal operational behavior.

Immediate mitigation steps

Until an official patch is applied, the following actions are strongly recommended:

  1. External exposure should be restricted using firewall rules or security groups.
  2. Access to execution-related endpoints should be disabled if not strictly required.
  3. The service should be run under a dedicated, low-privilege account.
  4. Execution functionality should be removed or disabled at runtime where possible.
  5. Application allow-listing and outbound network restrictions should be enforced.
  6. Enhanced logging and alerting should be enabled for rapid incident response.

Long-term remediation guidance

  • Shell-based execution should be replaced with safer APIs that do not invoke command interpreters.
  • Strict input validation and allow-listing should be enforced for any execution logic.
  • Authentication and authorization should be required for all sensitive operations.
  • Services should be containerized with restricted capabilities and read-only filesystems where feasible.
  • Secure coding reviews should be introduced to prevent future command execution flaws.

Official patch / upgrade information

At the time of writing, users are advised to monitor and apply the official fix or upgrade released by the project maintainers as soon as it becomes available.

Official project and patch source:
👉 https://github.com/jamubc/gemini-mcp-tool

Final takeaway

This vulnerability represents a high-risk condition due to its unauthenticated nature and direct path to remote code execution. Organizations running gemini-mcp-tool should assume active exploitation is possible and act accordingly. Early detection, strict access control, and prompt patching are critical to reducing risk.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.