A significant security vulnerability has been discovered that targets Google Gemini, allowing the AI model to bypass authorization guardrails and exploit Google Calendar for data extraction through indirect prompt injection. Security researchers at Miggo Security disclosed the flaw, which was demonstrated to circumvent Google Calendar’s privacy controls by embedding a malicious prompt within a standard calendar invitation. This exploit allows unauthorized access to private meeting data and the creation of deceptive calendar events without direct user interaction.
The attack chain begins with a threat actor crafting a new calendar event and sending it to a target. The description field of this invite contains a natural language prompt designed to perform malicious actions once processed by Google Gemini. The vulnerability is activated when a user queries Gemini about their schedule, such as asking about Tuesday’s meetings. Gemini then parses the specially crafted prompt from the suspicious invite, summarizes the user’s private meetings for the specified day, adds this information to a newly created calendar event, and provides a benign response to the user. However, behind the scenes, the AI creates a new event detailing the target’s private meetings, which, in many enterprise calendar configurations, becomes visible to the attacker, enabling them to exfiltrate sensitive data without the target user taking any action.
Indirect Prompt Injection Broadens AI Attack Surface
While this specific vulnerability involving Google Gemini has been addressed following responsible disclosure, it underscores a growing concern: AI-native features and the increasing adoption of AI tools can inadvertently expand the attack surface for organizations. As businesses integrate AI into automated workflows and develop their own internal AI agents, new security risks emerge. The underlying principle is that AI applications can be manipulated through the very language they are designed to comprehend, moving vulnerabilities beyond traditional code to reside in language, context, and AI behavior during runtime.
This disclosure follows closely on the heels of other emerging AI security threats. Varonis recently detailed an attack named Reprompt, which demonstrated the potential for adversaries to exfiltrate sensitive data from AI chatbots like Microsoft Copilot with a single click, bypassing enterprise security controls. These findings highlight the critical need for continuous evaluation of large language models (LLMs) across key safety and security dimensions. This includes testing for hallucination, factual accuracy, bias, potential harm, and resistance to jailbreaking, while simultaneously securing AI systems against traditional vulnerabilities.
Adding to the growing landscape of AI-related security concerns, Schwarz Group’s XM Cyber revealed methods for privilege escalation within Google Cloud Vertex AI’s Agent Engine and Ray. The researchers identified vulnerabilities that allow an attacker with minimal permissions to hijack highly privileged Service Agents, effectively turning these managed identities into “double agents” that facilitate privilege escalation. Exploitation of these flaws could lead to attackers reading all chat sessions, LLM memories, and sensitive information stored in storage buckets, or even gaining root access to the Ray cluster. Google has stated these services are currently operating as intended, emphasizing the importance for organizations to review identities with the Viewer role and implement adequate controls to prevent unauthorized code injection.
Emerging Vulnerabilities Across the AI Ecosystem
The aforementioned incidents are part of a broader pattern of newly discovered vulnerabilities and weaknesses across various AI systems. Security flaws (CVE-2026-0612, CVE-2026-0613, CVE-2026-0615, and CVE-2026-0616) in The Librarian, an AI-powered personal assistant, could grant attackers access to its internal infrastructure, including the administrator console and cloud environment, potentially leading to the leakage of sensitive information like cloud metadata, running processes, and system prompts. Another vulnerability demonstrated how system prompts can be extracted from intent-based LLM assistants by requesting their display in Base64-encoded format within form fields. This indicates that any field, log, database entry, or file where an LLM can write becomes a potential exfiltration channel, regardless of chat interface security.
A separate attack showcased how a malicious plugin uploaded to a marketplace for Anthropic Claude Code could bypass human-in-the-loop protections and exfiltrate user files via indirect prompt injection. Furthermore, a critical vulnerability in Cursor (CVE-2026-22708) enables remote code execution through indirect prompt injection by exploiting how agentic IDEs handle shell built-in commands. By abusing implicitly trusted commands like ‘export’ and ‘declare’, threat actors can manipulate environment variables, poisoning the behavior of legitimate developer tools and converting benign commands into arbitrary code execution vectors.
A comprehensive security analysis of five Vibe coding IDEs – Cursor, Claude Code, OpenAI Codex, Replit, and Devin – revealed that while coding agents excel at avoiding SQL injections and XSS flaws, they struggle with Server-Side Request Forgery (SSRF) issues, business logic handling, and enforcing appropriate authorization when accessing APIs. Notably, none of the analyzed tools included CSRF protection, security headers, or login rate limiting. This analysis highlights the current limitations of AI-driven coding, suggesting that human oversight remains crucial for addressing these security gaps. While AI agents may produce secure code at times, they consistently fail to implement critical security controls without explicit guidance, particularly in nuanced decision-making areas like business logic and authorization rules.
The ongoing discovery of these vulnerabilities across diverse AI applications, from calendar integrations to coding assistants, underscores the dynamic nature of cybersecurity in the age of artificial intelligence. Organizations must maintain vigilance, continuously reassess their AI deployments, and implement robust security practices that account for both traditional threats and the novel attack vectors presented by AI-native features. The future will likely see a continued focus on refining AI safety protocols, enhancing LLM evaluation benchmarks, and developing more sophisticated defenses against prompt injection and other AI-specific exploits.