ZDI Advisory — gemini-mcp-tool command injection (CVE-2026-0755)

AI relevance: gemini-mcp-tool is an MCP bridge for agent toolchains; a command injection in execAsync gives attackers RCE in AI agent infrastructure.

Advisory: ZDI-26-021 documents a zero-day command injection in gemini-mcp-tool (CVE-2026-0755).
Root cause: execAsync fails to validate a user-supplied string before a system call, enabling shell injection.
Impact: Remote, unauthenticated attackers can execute arbitrary code as the service account.
Severity: CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Attack surface: Any exposed MCP tool endpoint that accepts untrusted input into execAsync.
Vendor status: ZDI published the case as a 0-day after no fix was available at disclosure time.
Mitigation guidance: ZDI recommends restricting interaction with the product.

Why it matters

MCP tools often run with access to credentials, files, and downstream APIs. A single command injection in a tool bridge can turn agent workflows into remote code execution paths, making AI operator stacks a high-value entry point.

What to do

Restrict exposure: Remove public access and allow only trusted, authenticated callers.
Sandbox execution: Run the tool inside a locked-down container/VM with least-privilege service accounts.
Monitor usage: Alert on unusual execAsync invocations or outbound network activity.
Track vendor updates: Watch for a patch or mitigation release and upgrade immediately when available.

ZDI-26-021 advisory

CVE-2026-0755 record

gemini-mcp-tool project page