Google fixes GeminiJack zero-click exposing corporate Gmail, Calendar invites, shared Docs

Published: 10 December 2025
Last updated: 11 December 2025
Google Workspace 2
Image by Shutterstock

A newly uncovered AI injection prompt vulnerability in the Google Gemini enterprise AI ecosystem – allowing attackers to steal sensitive Gmail, Docs, and Calendar data – has been fixed, but experts say it is just the beginning of AI vulnerabilities to come.

Key takeaways:
  • Google patches critical AI vulnerability in Gemini Enterprise allowing attackers to steal Gmail, Calendar, and Docs data without user interaction.
  • Flaw exploited prompt injection to manipulate AI retrieval systems, leaking years of emails, calendars, and document repositories via disguised image requests.
  • Experts warn GeminiJack exposes architectural weaknesses in enterprise LLMs, with similar injection attacks likely as companies rush to deploy LLMs without proper safeguards.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.

The “GeminiJack” vulnerability, discovered within Google Gemini Enterprise and previously in Vertex AI Search, was identified by researchers at Noma Labs in May. After collaborating on a fix with Google, it was publicly disclosed on Tuesday.

ADVERTISEMENT

By exploiting an organization’s reliance on Google’s Workspace tools and sharing, attackers were able to manipulate everyday workflows to access and exfiltrate that company's sensitive information.

“A shared Google Doc, a Google Calendar invite, or even a Gmail instantly becomes a persistent open channel into your corporate data,” Noma said.

Google GeminiJack timeline
Image by Noma Labs

What’s more, unlike traditional software bugs, GeminiJack is not a conventional flaw, Noma says, but an “architectural weakness” in how Google’s enterprise AI systems interpret user-provided content.

It is also considered one of the most significant AI-driven security risks to hit the corporate cloud so far, due to the fact that the bug required no user interaction to do its damage.

“No clicks were required from the targeted employee. No warning signs appeared. And no traditional security tools were triggered,” Noma explained in its security blog.

“Incidents like GeminiJack show that prompt injection and data leakage are no longer edge-case research topics,” said James Wickett, CEO of DryRun Security, adding that “these bugs are a symptom of a deeper architectural problem in how enterprises are wiring LLMs into their systems, even at the biggest companies."

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us
ADVERTISEMENT

How it worked

According to Noma researchers, attackers could embed hidden instructions inside a shared document or message.

When an employee later performed a routine search using Google’s Gemini Enterprise AI, the AI assistant automatically retrieved the manipulated content, executed the malicious instructions, and simply exfiltrated the sensitive data via a disguised external image request.

With the GeminiJack zero-click, a single routine AI query could leak:

  • Years of internal emails - including customer and financial communications
  • Complete calendar histories - revealing negotiations, business relationships, and organizational behavior
  • Entire document repositories - from contracts to technical architecture

Google, which “promptly responded to the disclosure,” says its teams collaborated with Noma to “understand the attack vector and implement comprehensive mitigations.”

The fix was said to address “the core issue of instruction/content confusion in the RAG processing pipeline.” Noma said.

RAG or Retrieval-Augmented Generation is a recurring pipeline of document pre-processing, ingestion, and embedding generation in real time, returning a user's query into digestible information with limited hallucinations, according to Nvidia.

All of it funneled directly to an attacker via what appeared to be a standard image request, indistinguishable from legitimate traffic.

“This is excessive agency in action. An AI assistant operating exactly as designed, but functioning as the most efficient corporate spying tool imaginable.”

- Noma Labs
ADVERTISEMENT

“This is excessive agency in action. An AI assistant operating exactly as designed, but functioning as the most efficient corporate spying tool imaginable,” the Noma researchers said.

As part of the fix, Vertex AI Search has now been fully separated from Gemini Enterprise, ensuring the two systems no longer share the same LLM-driven retrieval pipelines, Google noted.

As for future AI injection attacks, Wickett points out that “we are still early in the AI adoption curve.”

Wickett says to expect more failures (similar to the GeminiJack flaw) in the coming years until teams build real guardrails around model inputs, retrieval sources, and agent actions.

“Without those controls and a focus to build secure AI apps, it is likely we’ll see more of this,” Wickett said.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT