The Vulnerability

CVE-2026-0755, scored CVSS 9.8 out of 10, was a command injection vulnerability in gemini-mcp-tool - a package that provides Google Gemini AI integration through the Model Context Protocol. SentinelOne discovered the flaw and disclosed it through the Zero Day Initiative on January 9, 2026, with the NVD entry published January 23, 2026.

The bug was in the execAsync method, which constructs shell commands using user-supplied input. The method accepted whatever text a user or external client sent and passed it directly into a system shell call without any sanitization, escaping, or parameterization. Semicolons, pipes, command substitution sequences like $(), and other shell metacharacters in the input would be interpreted by the operating system shell exactly as they would be in a terminal.

An attacker could embed arbitrary commands in any tool parameter that eventually reached the execAsync call. The shell would execute the intended command, then execute whatever the attacker appended. The result was full remote code execution running with the privileges of the service account hosting the MCP server.

Why CVSS 9.8

The CVSS score reflects the combination of factors that make this vulnerability about as bad as it gets for a software flaw. The attack vector was network-based, meaning an attacker didn't need physical access or any local foothold. No authentication was required - the MCP tool didn't check whether the request came from a trusted source. No user interaction was needed, so no one had to click anything or approve a dialog for the exploit to work. And all three impact categories - confidentiality, integrity, and availability - were fully compromised.

For a security scoring system that tops out at 10.0, landing at 9.8 means the only things preventing a perfect score were minor factors in the exploitability metrics. In practical terms, this was about as exploitable as software vulnerabilities come.

The Technical Problem

Command injection through unsanitized shell calls is one of the oldest and best-understood vulnerability classes in software security. It's classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command) and has been documented in security guidelines for decades. OWASP lists it as a core injection attack type. Every intro-level security course covers it.

The fix is also well established: don't construct shell commands from user input. If shell execution is necessary, use execFile with argument arrays instead of execAsync with string concatenation. The execFile approach passes arguments directly to the executable without involving a shell interpreter, which eliminates the metacharacter injection vector entirely.

The gemini-mcp-tool developers chose the less safe approach. Whether this was a conscious decision, an oversight during rapid development, or a case of copying example code without understanding its security implications, the end result was the same: a network-accessible service that would run any command an attacker cared to send.

The MCP Angle

The Model Context Protocol is a standard for connecting AI models to external tools and data sources. MCP servers act as bridges between AI systems and local resources - file systems, databases, APIs, command-line tools. The protocol was designed to give AI assistants the ability to take actions in the real world, not just generate text.

This creates an inherently elevated risk profile for MCP tools. By design, they have access to system resources and can execute operations that affect the host machine. When an MCP tool has a command injection vulnerability, the attacker doesn't just compromise a web page or leak some data - they get code execution on a development machine that likely has access to source code, credentials, cloud keys, and other sensitive resources.

gemini-mcp-tool specifically connected Google's Gemini CLI to the MCP ecosystem, giving AI assistants the ability to invoke Gemini operations. Anyone running this tool was exposing a network-accessible endpoint with shell execution capabilities and no authentication checks. The attack surface was about as wide as it could be.

Zero-Day Status

At the time of disclosure, no patch was available. SentinelOne published the vulnerability through the Zero Day Initiative with a proof-of-concept demonstrating the exploit. This meant anyone running gemini-mcp-tool had a publicly documented, trivially exploitable remote code execution vulnerability on their machine with no fix to apply.

The recommended mitigations were limited to damage control: remove or disable the tool entirely, restrict network access to trusted IP ranges, run the service in a containerized or sandboxed environment, or manually patch the code by replacing execAsync with execFile and argument arrays. None of these are quick fixes for an organization that has deployed the tool across development teams.

The zero-day status also raised supply chain concerns. MCP tools are typically installed via package managers and integrated into developer workflows. A developer who installed gemini-mcp-tool to use Gemini AI features in their IDE might not have been aware they were also running an unauthenticated network service vulnerable to trivial remote code execution.

The Supply Chain Pattern

CVE-2026-0755 fits a pattern that became common in the MCP ecosystem through 2025 and 2026. Community-developed MCP tools, often built quickly to connect popular AI services to the protocol, shipped with insufficient security review. The tools needed to interact with system-level resources by design, which meant security flaws carried outsized consequences.

This was the same pattern seen in Cursor's MCP trust bypass (CVE-2025-54136), where .cursor/mcp.json files could silently install malicious MCP servers. The Docker "Ask Gordon" prompt injection showed how MCP tools could be manipulated through indirect means. Each incident revealed a different facet of the same problem: the MCP ecosystem was growing faster than its security infrastructure.

For gemini-mcp-tool specifically, the vulnerability was in baseline functionality - the core command execution method that the tool relied on for its primary operations. This wasn't a subtle logic error or a race condition. It was the textbook example of a command injection flaw, the kind that automated security scanners are specifically designed to catch.

Impact Assessment

Any system running gemini-mcp-tool with network exposure was fully compromisable. An attacker could read files, write files, install malware, establish persistence, pivot to other systems on the network, exfiltrate credentials, and do anything else the service account's permissions allowed.

For developers, the likely impact was exposure of source code, API keys, SSH keys, cloud provider credentials, and other secrets that typically reside on development machines. For organizations, a compromised developer machine is often a stepping stone to broader infrastructure access.

The proof-of-concept from SentinelOne demonstrated that exploitation was straightforward - no specialized tools or deep technical knowledge required. Someone with basic knowledge of shell commands could craft a payload and achieve code execution.

Mitigation Gaps

The most common advice for CVE-2026-0755 - disable the tool or restrict network access - highlighted a tension in the MCP ecosystem. Developers installed these tools because they wanted AI integration in their workflows. Telling them to remove the tool entirely meant giving up the functionality they sought. Restricting network access assumed developers knew how to configure firewall rules and understood which ports the MCP server was listening on.

The more technically correct fix - replacing execAsync with execFile and argument arrays - required modifying the tool's source code, which most users would not be comfortable doing. Between the three options (remove, restrict, or rewrite), none of them were straightforward for the average developer who had simply installed a package to connect their IDE to Gemini.

This gap between the severity of the vulnerability and the accessibility of the mitigations is what made CVE-2026-0755 particularly concerning. A CVSS 9.8 vulnerability that requires a code-level fix to address properly, in a tool that most users treat as a black box, in an ecosystem where security review is inconsistent - each factor compounded the others.