Google Gemini Prompt Injection Flaw Exposed Private Calendar Data via Malicious Invites

Cybersecurity experts have found out a significant security flaw in Google Gemini that made it possible for hackers to use Google Calendar invites to get sensitive user information without having to interact directly with the users. The mistake had its basis on a method called indirect prompt injection that proved how the productivity tools powered by AI could unknowingly increase the attack surface of the enterprise.

Preventing this alongside responsible disclosure has resulted in Google fixing the problem, however, the event points out the increasing danger of AI agents operating in conjunction with trusted enterprise services.

How the Google Gemini Calendar Exploit Worked

This flaw was made known to the public by Miggo Security and its Head of Research, Liad Eliyahu, stated that it is feasible for attackers to conceal harmful instructions within the text of a normal calendar invite.

The whole attack mechanism grew like this: 

An attacker sends a victim a modified Google Calendar invite. The event's text discreetly carries a natural language prompt embedded in it. The moment the user goes on to ask Gemini something like “Do I have any meetings on Tuesday?” Gemini decodes the concealed prompt and thus: Summarizes the user’s private meetings Creates a new calendar event Inserts the confidential meeting data into that event’s description In corporate settings, the attacker could very often see the newly created event - thus exfiltrating private data without the user being aware of it Miggo mentioned that this completely circumvented the privacy controls of Google Calendar, thereby allowing unauthorized access and even the extraction of data in a stealthy manner.

Why This Matters: AI Expands the Attack Surface

This vulnerability reinforces a critical security reality:

AI systems can be manipulated not only through programming language but also through natural language. Eliyahu stated that “Vulnerabilities are no longer limited to software logic but they have moved to language, context and runtime AI behavior”. The more companies use AI helpers for tasks like scheduling, document sorting and inter-office processes the bigger the risk of prompt injection attacks which are very difficult to spot and limit.

Related AI Security Threats Emerging in 2026

The Gemini discovery follows several major AI security disclosures:

Reprompt Attack on Microsoft Copilot

Varonis recently detailed an attack called Reprompt, which allowed attackers to extract sensitive enterprise data from AI chatbots like Microsoft Copilot with a single click - bypassing security controls.

Google Cloud Vertex AI Privilege Escalation

XM Cyber has found weaknesses in the Vertex AI Agent Engine and Ray that would allow attackers to take control of highly privileged service agents and obtain access to:

• LLM memories
• Chat logs
• Storage buckets
• Root access to Ray clusters

When Google insisted that the services were "working as intended," researchers nevertheless recommended that enterprises conduct thorough audits of service account permissions.

Vulnerabilities in AI Assistants and IDEs

Multiple AI platforms were, in fact, found to have security vulnerabilities:

• The Librarian (CVE-2026-0612, 0613, 0615, 0616) - the hackers had an access to the backend infrastructure, system prompts, and cloud metadata.
• Backend prompt extraction by means of Base64 encoding - the hackers compelled the AIs to reveal their internal instructions through form fields and logs.
• Anthropic Claude Code's plug-in assault - the evil plug-ins managed to bypass the security measures and steal files through indirect prompt injection.
• Cursor IDE RCE (CVE-2026-22708) - the hackers made use of shell built-ins to manipulate environment variables and enable remote code execution.

AI Coding Tools Still Struggle with Security

A security test was carried out on five of the most popular AI coding platforms and their performances in terms of SQL injection and XSS were considered acceptable but all of them were nevertheless found deficient in the following areas:

• The enforcement of authorization rules
• The prevention of SSRF vulnerabilities
• The implementation of CSRF protection
• The addition of security headers
• The application of login rate limits

“Ori David from Tenzai comments that coding agents are not reliable for secure application design. Usually, without clear instructions, they cannot pass through the major security controls.”

What Organizations Should Do Now

It is recommended that the security teams take the following actions right away to secure workflows that have AI integrated into them: 

• Take an inventory of the AI service accounts and managed identities permissions
• Prevent AI agents from making any changes to calendars, documents, or logs without user approval
• Look out for the misuse of prompt injection in the enterprise AI systems
• Analyze the AI models for resistance to jailbreaking, hallucinations, and unsafe automation
• Consider AI inputs to be untrusted data, similar to the user input in web applications

Final Thoughts

The Google Gemini calendar vulnerability illustrates very well that the use of AI-native features is prone to new security issues. Now attackers do not need to have traditional code exploits but can take advantage of natural language instead.

When AI assistants become a common thing in business, security measures will have to change from being infrastructure-based to those that deal with AI behavior, context handling, and runtime trust boundaries.

Organizations that do not change in accordance with the times will run the risk of their own productivity tools being transformed into quiet data exfiltration channels.