Google Fixes Critical RCE Flaw in AI-Based Antigravity Tool TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsVulnerabilities & ThreatsGoogle Fixes Critical RCE Flaw in AI-Based Antigravity ToolGoogle Fixes Critical RCE Flaw in AI-Based Antigravity ToolbyElizabeth MontalbanoApr 21, 20264 Min ReadApplication SecurityVercel Employee's AI Tool Access Led to Data BreachVercel Employee's AI Tool Access Led to Data BreachbyAlexander CulafiApr 20, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryVulnerabilities & ThreatsCyberattacks & Data BreachesCyber RiskApplication SecurityNewsGoogle Fixes Critical RCE Flaw in AI-Based Antigravity ToolThe prompt injection vulnerability in the agentic AI product for filesystem operations was a sanitization issue that allowed for sandbox escape and arbitrary code execution.Elizabeth Montalbano,Contributing WriterApril 21, 20264 Min ReadSource: Nico El Nino via Alamy Stock PhotoGoogle has fixed a critical flaw in its agentic integrated developer environment (IDE) Antigravity that led to sandbox escape and remote code execution (RCE) after researchers created a proof of concept (PoC) prompt injection attack exploiting it. Prompt injection issues are becoming a major thorn in the side of artificial intelligence (AI) tools, although, in this case, the vulnerability seems to be more of a common problem with IDEs in general rather than an AI-specific one. IDEs are a package of basic tools and capabilities that developers need to program, edit, and test software code; Antigravity is an agentic IDE that provides developers with native tools for filesystem operations.Researchers at Pillar Security uncovered a critical flaw in Antigravity's tool-execution model that allows attackers to escalate a seemingly benign prompt injection into full system compromise, according to a blog post published this week. The issue centers on how the IDE handles internal tool calls — specifically, a file-search capability that executes before security controls are enforced. Related:Every Old Vulnerability Is Now an AI VulnerabilityThe flaw affects the find_by_name tool's Pattern parameter, allowing attackers to exploit insufficient input sanitization and for injection of command-line flags into the underlying fd utility, according to the post. This basically converts a file search operation into arbitrary code execution.'Full Attack Chain'Ultimately, combined with Antigravity's ability to create files as a permitted action, the result is "a full attack chain: stage a malicious script, then trigger it through a seemingly legitimate search, all without additional user interaction once the prompt injection lands," Pillar Security's Dan Lisichkin wrote in the post. The vulnerability is dangerous because it bypasses Antigravity's Secure Mode, the product's most restrictive security configuration. "Secure Mode is designed to restrict network access, prevent out-of-workspace writes, and ensure all command operations run strictly under a sandbox context," Lisichkin wrote. "None of these controls prevent exploitation, because the find_by_name tool call fires before any of these restrictions are evaluated."That means that the agent treats the call as a native tool invocation, not a shell command, so it never reaches the security boundary that Secure Mode enforces, he said. "This means an attacker achieves arbitrary code execution under the exact configuration a security-conscious user would rely on to prevent it," Lisichkin wrote.Related:NIST Revamps CVE Framework to Focus on High-Impact VulnerabilitiesGoogle had not responded to a Dark Reading request for comment as of this posting.Prompt Injection Poses DangerPrompt injection flaws are becoming some of the most common vulnerabilities found in agentic AI tools, whether they be IDEs or chatbots. Security researchers have found this issue in other AI tools as well, including ChatGPT's Atlas browser and Google Gemini AI chatbot.However, in this case, it seems the flaw may be more of an IDE issue than one that's related to Gravity being an AI-based tool, says Fredrik Almroth, co-founder & security researcher at application security testing firm Detectify."This is an issue across IDEs, AI or not," Almroth tells Dark Reading via an email exchange. "It’s almost inevitable: Any time you have a primitive that reads or writes files or executes commands, there is a risk of security breaches. Making a 'fully secure' sandbox environment is virtually impossible."Almroth cited AngularJS, a Java-based tool also developed by Google, as an example of a non-AI-based IDE with a similar issue. "[Google] introduced a sandbox in 2010 to prevent 'client-side template injection attacks' (XSS)," he says. "All versions of Angular v1 have had their sandbox bypassed. They never got it right, so in v2 it was completely removed."Related:Privilege Elevation Dominates Massive Microsoft Patch UpdateOther AI-based IDEs seem to suffer from similar issues, too, according to Pillar. Earlier research the firm disclosed about the prompt-injection flaw CVE-2026-22708 in the AI-assisted development environment Cursor demonstrates that the pattern repeats across agentic IDEs when tools designed for constrained operations become attack vectors if their inputs are not strictly validated, Lisichkin wrote."The trust model underpinning security assumptions, that a human will catch something suspicious, does not hold when autonomous agents follow instructions from external content," he explained.How to Fix a Recurring IDE IssueThe good news for AntiGravity is that Google acknowledged and fixed the prompt injection flaw identified by Pillar in February, not long after it was reported to them in January, according to Pillar. Pillar's research team was awarded a bug bounty for the find, though the amount was not disclosed.To solve the larger prompt-injection issue, however, the industry must move beyond sanitization-based controls toward execution isolation, Lisichkin suggested, since "every native tool parameter that reaches a shell command is a potential injection point." That means that those developing AI agentic IDEs must make it mandatory to audit for this class of vulnerability to ship agentic features safely, he said.While it's possible to achieve secure sandboxing during development, "it's incredibly hard to secure a development environment that absolutely must be able to read and write files while still invoking utilities," Almroth says. Moreover, "having an LLM in the mix adds another layer of complexity to a challenge companies have been struggling with for years," he says, which means those developing AI tools should be mindful of the issue before releasing new builds.About the AuthorElizabeth MontalbanoContributing WriterElizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.See more from Elizabeth MontalbanoWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsCISO Survey 2026: The State of Incident Response ReadinessAI SOC for MDR: The Structural Evolution of Managed Detection and ResponseHow Enterprises Are Developing Secure ApplicationsKuppingerCole Business Application Risk Management Leadership Compass2026 CISO AI Risk ReportAccess More ResearchWebinarsDefending Against AI-Powered Attacks: The Evolution of Adversarial Machine LearningTips for Managing Cloud Security in a Hybrid Environment?Zero Trust Architecture for Cloud environments: Implementation RoadmapSecurity in the AI AgeCritical Infrastructure Protection: Security Industrial Control SystemsMore WebinarsEditor's ChoiceVulnerabilities & ThreatsEDR-Killer Ecosystem Expansion Requires Stronger BYOVD DefensesEDR-Killer Ecosystem Expansion Requires Stronger BYOVD DefensesbyRob WrightApr 14, 20268 Min ReadWant more Dark Reading stories in your Google search results?2026 Security Trends & OutlooksThreat IntelligenceCybersecurity Predictions for 2026: Navigating the Future of Digital ThreatsJan 2, 2026Cyber RiskNavigating Privacy and Cybersecurity Laws in 2026 Will Prove DifficultJan 12, 2026|7 Min ReadEndpoint SecurityCISOs Face a Tighter Insurance Market in 2026Jan 5, 2026|7 Min ReadThreat Intelligence2026: The Year Agentic AI Becomes the Attack-Surface Poster ChildJan 30, 2026|8 Min ReadDownload the CollectionKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsDefending Against AI-Powered Attacks: The Evolution of Adversarial Machine LearningMon, May 11, 2026 at 1:00pm ETTips for Managing Cloud Security in a Hybrid Environment?Thurs, May 7, 2026 at 1pm ESTZero Trust Architecture for Cloud environments: Implementation RoadmapTues, May 12, 2026 at 1pm ESTSecurity in the AI AgeTues, April 28, 2026 at 1pm ESTIdentity Maturity Under Pressure: 2026 Findings and How to Catch UpWed, May 6,2026 at 1pm ESTMore WebinarsWhite PapersHow Sunrun Transformed Security Operations with AiStrikeAutonomous Pentesting at Machine Speed, Without False PositivesBest practices for incident response planningBuilding a Robust SOC in a Post-AI WorldIndustry Report: AI, SOC, and Modernizing CybersecurityExplore More White PapersBlack Hat Asia | Marina Bay Sands, SingaporeExperience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass.GET YOUR PASSGISEC GLOBAL 2026GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills.📌 Book Your SpaceDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

Google identified and resolved a critical remote code execution (RCE) vulnerability within its agentic integrated developer environment (IDE), Antigravity, following a proof-of-concept prompt injection attack. The issue stemmed from insufficient sanitization during the handling of internal tool calls, specifically the ‘find_by_name’ tool’s Pattern parameter, which allowed attackers to inject command-line flags into the underlying ‘fd’ utility, effectively converting a file search operation into arbitrary code execution. This vulnerability exploited a weakness in Antigravity’s Secure Mode, which was bypassed due to the call occurring before the security controls were evaluated. Pillar Security discovered the flaw, and Google addressed it swiftly, though the incident highlights a recurring concern with IDEs and agentic AI tools—the potential for prompt injection vulnerabilities to escalate into system-level compromise. Research firm Detectify’s Fredrik Almroth noted that this vulnerability isn't specific to AI but rather a general risk associated with any native tool parameter that reaches a shell command, aligning with a long-standing challenge in secure development practices. The fix involved acknowledging and patching the vulnerability, demonstrating Google’s responsiveness, but underscores the broader industry need to move beyond simple sanitization towards more robust execution isolation methods. The incident also illustrates the growing risk posed by agentic AI tools, particularly those with file system access capabilities, and reinforces the importance of careful input validation and rigorous security testing.