Security researchers at Miggo, have disclosed a vulnerability in Google’s Gemini assistant that allowed a standard calendar invitation to be used as an attack vector, exposing private meeting data through a form of prompt injection that relied entirely on natural language.
The issue was discovered by a research team led by Liad Eliyahu, head of research, and was responsibly disclosed to Google. The company confirmed the findings and has since mitigated the vulnerability, they said.
The exploit shines a light on the emerging risks that come with AI-powered applications that deeply integrate with user data and productivity tools. “As application security professionals, we’re trained to spot malicious patterns. But what happens when an attack doesn’t look like an attack at all?”
Hidden Instructions Embedded in Calendar Data
Gemini works as an assistant for Google Calendar, automatically parsing event titles, times, attendees, and descriptions so it can answer user questions about schedules and availability. The researchers found that this design allowed malefactors to embed hidden instructions inside the description field of a calendar event.
“What makes this discovery notable isn’t simply the exploit itself. The vulnerability shows a structural limitation in how AI-integrated products reason about intent,” the researchers added.
A malicious actor could use a specially crafted prompt injection in a calendar invitation to install hidden instructions that wouldn’t execute unless the victim later asked Gemini a normal question about their calendar. If the user did ask Gemini (using its existing rights) about their calendar, Gemini would include the malicious language within the calendar’s context and execute it.
Unauthorized Data Exposure Without User Action
In testing, Gemini summarized private meetings and wrote those summaries into newly created calendar events, the researchers said. In many enterprise environments, those events were visible to other users, allowing sensitive data to be accessed without the victim’s knowledge.
“The takeaway is clear. AI native features introduce a new class of exploitability,” the researchers wrote, adding that “Vulnerabilities are no longer confined to code. They now live in language, context, and AI behavior at runtime.”
A Shift From Syntactic To Semantic Security Risks
The researchers said the vulnerability underscores a broader challenge facing application security teams as large language models become embedded into software products.
“This vulnerability demonstrates why securing LLM-powered applications is a fundamentally different challenge,” they wrote.
This is different to conventional defenses, which depend on detecting known malicious patterns, with attacks that exploit semantic meaning instead of obvious strings. “Traditional application security (AppSec) is largely syntactic,” they said, while “in contrast, vulnerabilities in LLM powered systems are semantic.”
Because the malicious instructions looked linguistically benign, standard filtering and pattern-matching techniques would not work, they explained.
AI Assistants as an Application Layer
In this case, instead of operating like a conversational interface only, Gemini acted like an application layer with access to internal tools and APIs. When natural language becomes the primary interface, seemingly benign instructions can trigger privileged actions.
“Securing this layer requires different thinking, and is the next frontier for our industry,” Miggo said.
Broader Implications
While Google addressed the specific flaw, the researchers said: “This Gemini vulnerability isn’t just an isolated edge case. Rather, it is a case study in how detection is struggling to keep up with AI-native threats.”
Defending AI-enabled products will need new approaches that go further than keyword filtering, including runtime policy enforcement, intent analysis, and tighter control over model permissions.
Fragile Trust Boundaries
Oliver Simonnet, Lead Cybersecurity Researcher at CultureAI, said: “This specific case talks about abuse of Gemini, but this is really just a reminder of how fragile the current trust boundaries are in AI workflows.
He said we still haven’t solved Prompt Injection at its fundamental level, and until we do, these types of attacks will continue to be discovered and continue be a risk. “There is no need for traditional exploitation, malware, pr privilege escalation in a lot of these AI-based attacks. Just the existence of natural language, and when AI agents are allowed to act on our behalf, any and all information becomes a potential attack vector.”
Simonnet said as AI assistants become more deeply embedded in everyday tooling, and more capable of moving sensitive information between systems, our thinking will shift from “is the model/tool safe” to, “do we know how data flows invoke AI-driven actions, and what data it can access.”
“As natural language data becomes an unmonitored integration layer, we now need solutions that encourage AI use, but provide visibility and intent-aware controls that sit and intervene at the point of use.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.