gemini-mcp-tool command injection (CVE-2026-0755)
A command injection flaw in gemini-mcp-tool showed how look-alike or loosely reviewed MCP packages can become direct shell compromise paths.
Affected systems
MCP deployments, Coding agents
Primary threats
Skill or Plugin Backdoors, Capability Escalation
Impact types
Command injection, Package-based host compromise
CVEs
Not specified
What an auditor should now check
- Inspect package wrappers for execAsync or shell interpolation paths
- Check how dependency selection and package naming are validated
- Verify tool installs are gated for authority-bearing connectors
Why this matters
This is a combined package-provenance and prompt-to-shell problem. The package name can look benign while its execution semantics are dangerous.
What happened
gemini-mcp-tool carried a command injection issue that could turn package use into host command execution.
Why the classification matters
This joins two concerns auditors sometimes separate incorrectly: package provenance and shell safety.
What an auditor should now check
- Whether packages expose shell execution wrappers behind seemingly safe tool names
- Whether command arguments are structured and policy-checked
- Whether package review is stricter for authority-bearing agent connectors
Zealynx takeaway
For agents that can install or invoke packages, naming trust is not security. Execution semantics are.
Control implications
- Package provenance needs to be part of AI runtime review
- Structured command invocation must replace shell string interpolation
- Look-alike packages deserve enhanced review when they expose host actions
Affected systems
- MCP deployments
- Coding agents
Impact types
- Command injection
- Package-based host compromise