{"id":234449,"date":"2026-04-20T17:18:00","date_gmt":"2026-04-20T21:18:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/04\/20\/vuln-in-googles-antigravity-ai-agent-manager-could-escape-sandbox-give-attackers-remote-code-execution\/"},"modified":"2026-04-20T17:18:00","modified_gmt":"2026-04-20T21:18:00","slug":"vuln-in-googles-antigravity-ai-agent-manager-could-escape-sandbox-give-attackers-remote-code-execution","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/04\/20\/vuln-in-googles-antigravity-ai-agent-manager-could-escape-sandbox-give-attackers-remote-code-execution\/","title":{"rendered":"Vuln in Google\u2019s Antigravity AI agent manager could escape sandbox, give attackers remote code execution"},"content":{"rendered":"<p><a href=\"https:\/\/cyberscoop.com\/google-antigravity-pillar-security-agent-sandbox-escape-remote-code-execution\/\">Vuln in Google\u2019s Antigravity AI agent manager could escape sandbox, give attackers remote code execution<\/a><\/p>\n<p><a href=\"https:\/\/cyberscoop.com\/google-antigravity-pillar-security-agent-sandbox-escape-remote-code-execution\/\">https:\/\/cyberscoop.com\/google-antigravity-pillar-security-agent-sandbox-escape-remote-code-execution\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-04-20 17:18:00<\/a><\/p>\n<p>Source Domain: <a href=\"cyberscoop.com\">cyberscoop.com<\/a><\/p>\n<p>As organizations consider agentic AI for their business and IT stacks, researchers continue to find bugs and vulnerabilities in major, commercial models\u00a0 that can significantly expand their attack surface.<\/p>\n<p>This week, researchers at Pillar Security disclosed a vulnerability in Antigravity, an AI-powered developer tool for filesystem operations made by Google.<\/p>\n<p>The bug, since patched, combined prompt injection with Antigravity\u2019s permitted file-creation capability to grant attackers remote code execution privileges.<\/p>\n<p>The research details how the exploit was able to circumvent Antigravity\u2019s secure mode, Google\u2019s highest security setting for its agents that runs all command operations through a virtual sandbox environment, throttles network access and prohibits the agent from writing code outside of the working directory.<\/p>\n<p>Secure mode is supposed to limit the AI agent access to sensitive systems \u2013 and its ability to execute malicious or dangerous acts through shell commands. But one of the file-searching tools used by Antigravity, called \u201cfind_by_name,\u201d is classified as a \u2018native\u2019 system tool. This means the agent can execute it directly and before protections like Secure Mode can even evaluate command level operations.<\/p>\n<p>\u201cThe security boundary that Secure Mode enforces simply never sees this call,\u201d wrote Dan Lisichkin, an AI security researcher with Pillar Security. \u201cThis means an attacker achieves arbitrary code execution under the exact configuration a security-conscious user would rely on to prevent it.\u201d<\/p>\n<p>The prompt injection attacks can be delivered through compromised identity accounts connected to the agent, or indirectly by hiding clandestine prompt instructions inside open-source files or web content the agent ingests. Antigravity\u00a0 has trouble distinguishing between written data it ingests for context and literal prompt instructions, so compromise can be achieved without any elevated access by getting it to&#8230;<\/p>\n<p><a href=\"https:\/\/cyberscoop.com\/google-antigravity-pillar-security-agent-sandbox-escape-remote-code-execution\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Vuln in Google\u2019s Antigravity AI agent manager could escape sandbox, give attackers remote code execution&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,31,27],"class_list":["post-234449","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","tag-ai","tag-exploit","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/234449"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=234449"}],"version-history":[{"count":0,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/234449\/revisions"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=234449"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=234449"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=234449"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}