Google resolved a weakness in Gemini Enterprise and Vertex AI Search that researchers said could have enabled the theft of emails, calendars and documents via indirect prompt injection.The exploit, dubbed “GeminiJack,” was discovered by Noma Labs and described in a blog post Monday. Noma describes GeminiJack as a “zero-click” exploit, as the attack is automatically triggered when the target completes a routine search, due to malicious instructions planted in calendar invites, sent emails or shared documents. To conduct a GeminiJack attack, an attacker would craft instructions telling Gemini to complete a search, such as “emails from the sales department,” and include the results of that search at the end of an image embed URL with an attacker-controlled domain.They would then plant these instructions in an email sent to the victim’s Gmail, a Google Calendar invitation sent to the victim or a Google Document shared with the victim.The attack would trigger when the victim makes a relevant search of their Google Enterprise environment using the built-in Vertex AI Search feature, which would pull the attacker’s content into the AI’s context window.
Related reading:
The AI would follow both the victim’s and the attacker’s instructions, searching across Gmail, Google Calendar, Google Documents and other Google Workspace components for the desired information via the search feature’s retrieval-augmented generation (RAG) architecture.Gemini would ultimately output the image embed link, which would send the results of the attacker’s desired search as an HTTP request to the attacker’s domain when the browser attempts to retrieve the image.“The GeminiJack vulnerability represents a classic example of an indirect prompt injection attack. Effective detection requires comprehensive inspection of all data sources feeding the agent’s context including tool outputs, RAG-retrieved data, and other external inputs,” Sasi Levi, security research lead at Noma Security, said in an email to SC Media.
Noma Labs demonstrated the proof-of-concept exploit in a video, showing the successful exfiltration of information from a Gemini Enterprise environment following a Vertex AI search. Noma reported the weakness to Google in June 2025 and worked with the company to resolve the issue by November 2025.“Google hasn’t disclosed the technical details of their fix for GeminiJack, and we don’t know the specific architectural modifications they made (e.g. content sanitization, parsing rule changes, RAG pipeline restructuring) to address the vulnerability,” Levi said, although Noma’s blog post notes that a fix was made that “addresses the core issue of instruction/content confusion in the RAG processing pipeline.”GeminiJack is similar to other indirect prompt injection weaknesses discovered by researchers including the “EchoLeak” vulnerability in Microsoft 365 Copilot discovered by Aim Security, a flaw in Slack’s AI assistant that could have allowed insider phishing attacks, identified by PromptArmor, and a weakness in Gemini for Workspace discovered by HiddenLayer that similarly used instructions hidden in documents or emails to send phishing links to targets.“Organizations need to understand that this is not just a vendor specific bug but a broader architectural risk where models treat untrusted content as instructions and then act on it across all connected data,” Jason Soroko, senior fellow at Sectigo, told SC Media in an email.
AI/ML, Data Security, Application security, Generative AI, Exposure management
Google addresses ‘GeminiJack’ exploit affecting Gemini Enterprise
(Credit: Koshiro K – stock.adobe.com)
An In-Depth Guide to AI
Get essential knowledge and practical strategies to use AI to better your security program.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds