top of page
perceptive_background_267k.jpg

Google Patches Antigravity IDE Flaw Enabling Prompt Injection Code Execution

Published:

21 april 2026 om 10:22:00

Alert date:

21 april 2026 om 12:01:48

Source:

thehackernews.com

Click to open the original link from this advisory

Web Technologies, Emerging Technologies, Enterprise Applications

Cybersecurity researchers discovered a vulnerability in Google's Antigravity IDE that enables code execution through prompt injection. The flaw combines the IDE's file-creation capabilities with insufficient input sanitization in the find_by_name file-searching tool to bypass security restrictions. Google has since patched this vulnerability that could allow attackers to execute arbitrary code within the development environment.

Technical details

The vulnerability combines Antigravity's file-creation capabilities with insufficient input sanitization in the find_by_name tool to bypass Strict Mode. Attackers can inject the -X (exec-batch) flag through the Pattern parameter, forcing fd to execute arbitrary binaries. The attack exploits the fact that find_by_name tool call executes before Strict Mode constraints are enforced. By crafting a Pattern value of -Xsh, attackers cause fd to pass matched files to sh for execution as shell scripts. The attack can be initiated via indirect prompt injection using hidden attacker-controlled comments in seemingly harmless files.

Mitigation steps:

Google patched the vulnerability as of February 28, 2026. Implement strict input validation for tool parameters. Apply the principle of least privilege for AI agents. Monitor for suspicious file creation and execution patterns. Validate and sanitize all inputs to AI-powered tools. Ensure proper separation between system instructions and user-supplied data.

Affected products:

Google Antigravity IDE
Anthropic Claude Code Security Review
Google Gemini CLI Action
GitHub Copilot Agent
Microsoft Copilot Studio
Salesforce Agentforce
Cursor AI code editor

Related links:

https://antigravity.google/docs/strict-mode
https://antigravity.google/docs/sandbox-mode
https://www.pillar.security/blog/prompt-injection-leads-to-rce-and-sandbox-escape-in-antigravity
https://oddguan.com/blog/comment-and-control-prompt-injection-credential-theft-claude-code-gemini-cli-github-copilot/
https://www.manifold.security/blog/gateway-gap-ai-agent-security
https://blogs.cisco.com/ai/identifying-and-remediating-a-persistent-memory-compromise-in-claude-code
https://www.straiker.ai/blog/nomshub-cursor-remote-tunneling-sandbox-breakout
https://www.preamble.com/blogs/tooljack-hijacking-an-ai-agents-perception-through-bridge-protocol-exploitation
https://www.capsulesecurity.io/blog-post/shareleak-taking-the-wheel-of-microsofts-copilot-studio-cve-2026-21520
https://www.capsulesecurity.io/blog-post/pipeleak-the-lead-that-stole-your-database-exploiting-salesforce-agentforce-with-indirect-prompt-injection
https://www.oasis.security/blog/claude-ai-prompt-injection-data-exfiltration-vulnerability
https://www.manifold.security/blog/spoofed-git-identity-ai-code-reviewer

Related CVE's:

Related threat actors:

IOC's:

Pattern parameter containing -Xsh value, Hidden comments in files containing AI agent instructions, Malicious shell scripts staged in workspace, Crafted Claude URLs with q= parameter containing prompt injections

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page