CVE-2026-0755 (ZDI-26-021 / ZDI-CAN-27783) is a CVSS 9.8 remote code execution zero-day in gemini-mcp-tool, an open-source utility that connects Google Gemini models to Model Context Protocol (MCP) services.
Root cause: the execAsync method passes user-supplied input directly into a system call without any validation or sanitization — a textbook OS command injection.
No authentication required. The attack vector is network-based (AV:N), needs no privileges (PR:N), no user interaction (UI:N), and grants full confidentiality, integrity, and availability impact.
Trend Micro ZDI researcher Peter Girnus reported the flaw to the vendor on July 25, 2025. After no response through two follow-ups (November and December 2025), ZDI published the advisory as a 0-day on January 9, 2026.
As of February 3, 2026 there is no official patch or update. The vendor has not responded to the disclosure.
Any internet-exposed or shared environment running gemini-mcp-tool is at critical risk — an attacker can execute arbitrary commands in the context of the service account with a single crafted request.
This is the latest in a pattern of MCP tooling vulnerabilities — following reports from Check Point/Lakera (40% of MCP servers vulnerable) and CrowdStrike (tool poisoning and shadowing attacks on MCP chains).
Why it matters
MCP adoption is exploding — Anthropic's protocol hit 97M monthly SDK downloads in January 2026. Tools like gemini-mcp-tool bridge LLMs to external services, and each one becomes an attack surface.
The flaw demonstrates that MCP tool authors often skip basic input validation, treating the LLM-to-tool boundary as trusted. In reality, any user-facing prompt can feed attacker-controlled strings into tool parameters.
With no patch available and the vendor unresponsive, this is a live 0-day. Any deployment still running gemini-mcp-tool is exploitable right now.
What to do
Stop using gemini-mcp-tool immediately in any internet-exposed or multi-tenant environment until a patch is released.
If you must run it, restrict network access to trusted hosts only and monitor for suspicious process execution or outbound connections.
Audit all MCP tools in your stack for similar patterns: user input flowing into exec, spawn, or system calls without sanitization.
Consider adopting MCP tool sandboxing — run each tool in an isolated container or VM with minimal privileges and no outbound network by default.