GeminiJack turned a poisoned document into silent corporate data theft
Noma Security disclosed GeminiJack, a zero-click flaw in Google Gemini Enterprise, on December 11, 2025. An attacker shares a booby-trapped Google Doc, email or calendar invite carrying hidden instructions. The victim never has to open it. Later, when any employee asks Gemini a routine question, the assistant's retrieval layer pulls in the poisoned content, treats the buried instructions as commands, and quietly exfiltrates emails, documents and calendar data containing terms like "confidential," "legal," "salary" or "API key." Google confirmed the findings and deployed mitigations. The vulnerability is not a bug in traditional code; it is the AI doing exactly what injected text told it to, because it cannot tell the difference between data it retrieved and instructions it should follow.
Incident Details
Tech Stack
References
The attack you never click
Most people have internalized a basic rule of digital safety: do not open suspicious attachments, do not click strange links. GeminiJack is unsettling because it sidesteps that rule entirely. The victim does not open anything. They do not click anything. They just use their company's AI assistant the way they use it every day, and that is enough.
Noma Security disclosed GeminiJack on December 11, 2025, having reported it to Google earlier in the year. It targets Google Gemini Enterprise, the version of Gemini pitched to organizations to automate work across their document stores, email and calendars. The flaw is a zero-click indirect prompt injection, and the mechanism is worth understanding because it is going to keep recurring in different products.
How the poison spreads
Gemini Enterprise, like most enterprise AI assistants, works by retrieval. When you ask it a question, it does not answer from memory; it searches your organization's connected content - Docs, emails, calendar entries - pulls in whatever seems relevant, and uses that material to build its answer. This is what makes it useful. It is also the hole.
An attacker crafts a document, email or calendar invite containing hidden instructions - text written to be read by the model rather than the human. As Noma put it, an attacker could share a Google Doc containing indirect prompt injection about, say, budgets, without any notification to the target. The poisoned item just sits in the shared corpus. Nobody opens it. Nothing happens.
Then, at some later point, an employee asks Gemini a normal question - "show me our budgets," "summarize the latest on the acquisition," anything that touches the poisoned topic. Gemini's retrieval layer dutifully fetches the attacker's document because it matches the query. And here is the failure: the model cannot reliably distinguish between the content it retrieved (which it should treat as data) and instructions embedded in that content (which it should ignore). It reads the buried commands and executes them.
In Noma's demonstration, those commands told Gemini to hunt through the user's accessible data for anything containing sensitive keywords - "confidential," "legal," "salary," "API key" - and quietly ship it out. As Noma summarized the danger: "The victim would not need to view the malicious asset; instead, the attacker's commands would be executed by Gemini Enterprise when being asked for information on a related topic." No warning, no click, no visible sign that the assistant just rifled through the org's data on an outsider's behalf.
Why this is an AI failure and not a normal bug
It matters that GeminiJack is not a buffer overflow or an injection flaw in some piece of hand-written server code. There is no traditional vulnerability being exploited. The database works. The permissions work. The web server works. What fails is the model's inability to separate trusted instructions from untrusted retrieved content, which is a property of how large language models process context, not a coding mistake someone can simply patch out of existence.
This distinction is the whole reason the story belongs here rather than in a generic CVE roundup. The attacker did not break Google's code; they wrote English (or something the model reads as instructions) into a document and let Gemini's own design carry it the rest of the way. The exploit runs on the AI's behavior. That is a fundamentally different security model from the one most enterprise defenses were built for, which assumes the threat is malicious code, not malicious text that the AI treats as a command.
The retrieval trap, generalized
GeminiJack is one instance of a pattern the Vibe Graveyard has documented across vendors: an AI assistant with broad access to organizational data, a retrieval mechanism that ingests untrusted content, and a model that treats retrieved text as authoritative. Change the product name and the same shape appears in the Microsoft 365 Copilot EchoLeak exfiltration, in the ChatGPT connector attacks, in the Salesforce agent injections. The common thread is that connecting a language model to a company's data and letting it act on whatever it reads creates an attack surface where the payload is words, not code.
What makes the enterprise-search version especially nasty is the delay and the invisibility. The poisoned document can be planted long before it is used. The trigger is an innocent employee's ordinary query, not any action by the attacker. And the exfiltration happens inside the normal flow of the assistant answering a question, so there is nothing obviously anomalous to notice. The attacker plants a landmine in the shared drive and waits for a colleague to step on it while asking about budgets.
Google's fix and the residual problem
To its credit, Google confirmed Noma's findings were accurate and deployed mitigations, reportedly including changes to how Vertex AI Search feeds into Gemini Enterprise. The researchers noted the company moved quickly once notified. So the specific GeminiJack path is closed.
The class of problem is not. Every enterprise AI assistant that retrieves untrusted content and can act on it is exposed to some version of this, and defending against it is genuinely hard, because the useful behavior (read the org's documents and do what is helpful) and the dangerous behavior (read a planted document and do what it says) are the same behavior aimed at different text. Patching one injection technique does not teach the model to reliably tell instructions from data, because current models cannot. Until that changes, "the assistant read a document and followed the instructions hidden in it" will keep being a viable way to rob a company that never clicked a thing.
Discussion