Google Gemini Indirect Prompt Injection via Calendar Invites Leaks Private Schedule Data
Researchers reported an indirect prompt-injection issue in Google Gemini’s integration with Google Calendar that allows a malicious calendar invite to act as a dormant instruction payload. By crafting natural-language directives in an event’s description field, an attacker can cause Gemini—when later asked routine questions like “What’s my schedule today?”—to ingest the attacker-controlled event content and follow embedded instructions that result in exfiltration of private calendar details (e.g., summarizing private meetings) into attacker-visible locations such as a newly created calendar event description.
Both reports attribute the finding to Miggo Security, describing how the attack can bypass expected privacy controls by exploiting Gemini’s helpful behavior of parsing and acting on calendar data. The technique does not require traditional code execution; it relies on Gemini interpreting attacker-supplied text as instructions, enabling outcomes such as leaking sensitive meeting information and creating deceptive events. This highlights a broader risk pattern for LLM assistants embedded in productivity suites: attacker-controlled content in first-party data fields (like invites) can be weaponized to manipulate the assistant’s actions and data handling.
Timeline
Jan 20, 2026
Researchers publicly disclose the Gemini Calendar attack technique
On January 20, 2026, multiple reports described Miggo's public disclosure of the flaw, including the attack chain, its bypass of Google's prompt defenses, and the risk of exposing private meeting details through malicious calendar invites.
Jan 20, 2026
Google adds mitigations and fixes the reported Gemini flaw
Google implemented mitigations for the specific exploit and later confirmed the vulnerability had been fixed, addressing the reported exposure of private Google Calendar meeting data through Gemini.
Jan 20, 2026
Miggo reports Gemini Calendar data-exfiltration issue to Google
After validating the attack, Miggo shared its findings with Google, describing how Gemini could be induced to summarize private meetings and write the stolen details into a newly created calendar event.
Jan 20, 2026
Miggo discovers Calendar invite prompt-injection flaw in Gemini
Miggo Security identified an indirect prompt-injection vulnerability in Google Gemini's Google Calendar integration, where malicious natural-language instructions embedded in a calendar invite description could remain dormant until a user asked Gemini about their schedule.
Aug 1, 2025
SafeBreach demonstrates earlier Calendar/Gemini prompt-injection technique
An August 2025 SafeBreach demonstration showed prior prompt-injection risks involving Google Calendar and Gemini, establishing earlier research into abusing calendar content to influence the assistant.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Malware
Sources
Related Stories
GeminiJack No-Click Prompt Injection Vulnerability in Google Gemini Enterprise
Google addressed a critical vulnerability in its Gemini Enterprise AI assistant, identified as GeminiJack, which allowed attackers to exfiltrate sensitive corporate data through a no-click prompt injection attack. Discovered by Noma Labs, the flaw enabled malicious actors to embed hidden instructions within commonly shared documents, calendar invites, or emails. When an employee performed a standard search using Gemini Enterprise, the AI could automatically retrieve and execute these hidden instructions, granting attackers access to confidential information without any user interaction or warning. The vulnerability stemmed from an architectural weakness in how Gemini Enterprise and Vertex AI Search interpret and process information across integrated Workspace data sources, including Gmail, Calendar, and Docs. Attackers could leverage this flaw to extract entire document stores, calendar histories, and years of email records by simply embedding indirect prompt injections in shared artifacts. Google has since fixed the issue following responsible disclosure by Noma Security, highlighting the risks associated with integrating AI assistants into enterprise environments without robust safeguards against prompt injection attacks.
1 months ago
AI Chatbot Security Risks: Prompt Injection Data Exfiltration and Privacy Trade-offs in New Consumer Tiers
Researchers disclosed an **indirect prompt injection** technique against **Google Gemini** that used a malicious **Google Calendar invite** to bypass guardrails and exfiltrate private meeting details. By embedding a hidden natural-language payload in an event description, an attacker could cause Gemini—when later asked an innocuous scheduling question—to summarize a user’s private meetings and write that summary into a newly created calendar event; in many enterprise configurations, that new event could be visible to the attacker, enabling data theft without additional user interaction. The issue was reported as remediated after responsible disclosure, underscoring how AI assistants integrated with enterprise SaaS can create new cross-application data-extraction paths. Separately, OpenAI product rollouts raised enterprise data-handling concerns tied to consumer usage. **ChatGPT Go** (a low-cost tier) was described as introducing an **ad-supported** model that could increase exposure of conversation data and usage patterns to advertising ecosystems, amplifying “shadow AI” risk when employees use personal accounts for work. **ChatGPT Health** was positioned as a dedicated health experience with added protections (e.g., encryption/isolation and claims that user data is not used to train foundation models), but reporting highlighted unresolved questions around safety, privacy, and how sensitive health information is protected in practice—areas that may require additional governance and controls if employees adopt these tools outside approved enterprise channels.
1 months ago
Legacy Google Cloud API Keys Gaining Unintended Access to Gemini APIs
Security researchers reported that **previously “non-secret” Google Cloud API keys** (commonly embedded in public client-side code for services like *Google Maps*, YouTube embeds, Firebase, and analytics) can **silently become usable credentials for Gemini (Generative Language API) endpoints** once the Gemini API is enabled in the same Google Cloud project. Truffle Security described this as a **privilege escalation/incorrect privilege assignment** scenario where long-exposed `AIza...` keys—originally treated as project identifiers for billing and API access control—can unexpectedly grant access to **Gemini-related data and capabilities**, including access to private AI resources (e.g., uploaded files/cached context) and **billable inference usage**, without clear developer warning or explicit re-authorization. Truffle Security’s internet-scale scanning (including Common Crawl) identified **~2,800–3,000 exposed keys** across organizations in multiple sectors (and reportedly even from Google), highlighting the practical risk of key harvesting from page source and subsequent abuse. The primary impact described is **data exposure via Gemini API access** and **cost/abuse risk** (attackers potentially generating significant charges by making API calls). Separate from the API-key issue, Google also announced a **Gemini feature update for Google Workspace** that allows Gemini to search Google Chat history (noted as *off by default*), which is a product capability announcement rather than a vulnerability disclosure.
1 months ago