A newly discovered zero-click security flaw in Google’s Gemini Enterprise AI, dubbed GeminiJack, allowed attackers to silently access and exfiltrate sensitive corporate data — including Gmail messages, Calendar events, and Google Docs — without any user interaction, by embedding hidden instruction payloads in shared Workspace files that the AI would execute during routine searches. This architectural weakness was identified by Noma Labs, reported to Google, and subsequently patched; the exploit leveraged indirect prompt injection to bypass traditional defenses and acted through the AI’s Retrieval-Augmented Generation mechanisms.
Sources: Cyber Security News, Security Affairs
Key Takeaways
– Zero-Click Exploit: GeminiJack allowed data theft without any clicks or alerts, turning shared Workspace content into a launch pad for silent extraction of corporate information.
– Architectural Weakness: The vulnerability stemmed from how Gemini’s AI accessed and interpreted shared data across Gmail, Calendar, and Docs within corporate environments.
– Patch and Future Risks: Google patched the flaw in collaboration with researchers, but this incident highlights broader risks as AI agents gain deep access to enterprise data.
In-Depth
In early December 2025, cybersecurity researchers uncovered a serious vulnerability in Google’s enterprise AI platform, Gemini Enterprise, that underscored the emerging cybersecurity challenges posed by advanced artificial intelligence systems. The flaw, named GeminiJack, was not your typical software bug — it was a structural weakness in how the AI processed and acted on content retrieved from corporate resources such as Gmail, Google Calendar, and Google Docs. Unlike classic exploits that depend on phishing or user mistakes, GeminiJack could be triggered without any user interaction at all, earning it the designation zero-click. The discovery was made by Noma Labs, a security firm specializing in AI risk, which reported the issue to Google as part of coordinated responsible disclosure. Google responded by releasing fixes that altered the way Gemini Enterprise and associated services like Vertex AI Search handle retrieval and instruction processing, aiming to close the gap that allowed the exploit.
At the heart of GeminiJack was an indirect prompt injection technique. Attackers could embed hidden commands in seemingly benign shared content — a Calendar invite, a shared Google Doc, or even a Gmail message — that the AI would unwittingly interpret as legitimate instructions when included in the AI’s context during standard searches. Because Gemini Enterprise uses a Retrieval-Augmented Generation (RAG) architecture to pull together information from multiple corporate data sources, the presence of a malicious prompt could cause the AI to execute unauthorized queries across Gmail threads, calendar entries, and document repositories. The results of those queries could then be exfiltrated via a disguised network request embedded in an image tag, all without triggering alerts from data loss prevention systems or endpoint security tools.
One of the most alarming aspects of this vulnerability was the lack of visible symptoms. From the employee’s perspective, everything looked normal: routine searches returned expected results. Security teams would see routine traffic with no malicious binaries, phishing links, or suspicious user behavior. Yet behind the scenes, sensitive communications, strategic documents, and internal calendars could be siphoned off in bulk to an attacker-controlled server. This starkly illustrated how AI tools with broad access privileges can become powerful attack surfaces if not rigorously constrained and monitored.
Industry coverage of GeminiJack highlighted the potential scale of the problem. Security outlets reported that the vulnerability could have impacted millions of users within organizations that deployed Gemini Enterprise with broad data access permissions. In contrast to more isolated bugs, GeminiJack represented a new class of AI-native exploits driven by how machine learning systems interpret and act on context, rather than by flaws in conventional code execution paths. This distinction matters: defenses designed for traditional malware — signatures, network heuristics, and behavioral alarms — are ill-suited to detect an AI system dutifully following its programming while inadvertently assisting an attacker.
Google’s response was swift once it understood the severity. The company worked with Noma Labs to validate the findings, then rolled out a fix that separated components like Vertex AI Search from Gemini Enterprise’s internal workflows and tightened the systems’ handling of retrieved content and instructions. But experts emphasized that patching a single flaw does not eliminate the broader category of risks inherent in generative AI systems with deep data access. As organizations increasingly integrate machine learning tools into core workflows, the need for AI-specific security practices — including prompt sanitization, strict access controls, and real-time monitoring of AI behavior — has become more urgent. Traditional security teams may need to adapt their playbooks to account for scenarios where the AI itself, rather than external malware, becomes the vector.
The GeminiJack incident serves as a cautionary tale: while AI offers productivity gains, it also introduces new vectors for data exfiltration that are fundamentally different from conventional cyberattacks. As this class of vulnerabilities grows, defenders will need to rethink how to protect sensitive enterprise assets in an era where sophisticated AI assistants are woven into daily operations.