Published: January 20, 20261 min read

Google Gemini Privacy Controls Bypassed via Malicious Calendar Invites

A new vulnerability allowed attackers to manipulate Google Gemini into leaking private data simply by embedding malicious text in a calendar invitation.

By Secure.com
Google Gemini Privacy Controls Bypassed via Malicious Calendar Invites

Calendar Invites Turned Spies: How Gemini Was Tricked into Leaking Data

Dateline: January 20, 2026

A significant vulnerability within the Google ecosystem allowed attackers to bypass Google Calendar’s privacy controls using nothing more than a standard calendar event invite. Discovered by researchers at Miggo Security, the flaw exploited "Indirect Prompt Injection" to turn Google’s AI assistant against its own users.

How Did it Happen?

The exploitation process relied on the way Gemini parses context to be helpful, turning a benign feature into a data exfiltration tool. The attack chain consisted of three distinct phases:

  1. The Delivery: An attacker sends a Google Calendar invite to the victim. Buried within the invite’s description field is a malicious natural language prompt (e.g., instructions to summarize the user’s schedule and export it).
  2. The Trigger: The victim does not need to click a link or download a file. They simply interact with Gemini as usual, asking a question like, "What do I have on my schedule today?"
  3. The Exfiltration: As Gemini scans the calendar to answer the user, it ingests the malicious description. Treating the attacker’s text as a trusted instruction, Gemini executes the command—often creating a new calendar event containing the victim’s private meeting data and then sharing it with the attacker.

Why It Matters?

This exploit is a prime example of Indirect Prompt Injection, a growing risk vector where AI models blindly trust incoming data from external sources (emails, websites, calendar invites). Unlike conventional malware, this attack contains no malicious code (only text) making it invisible to standard endpoint protection (EDR) and firewalls.

The Fix

Google has since deployed mitigations to prevent Gemini from executing sensitive commands embedded in untrusted content. However, the incident reveals a critical takeaway for CISOs: As AI agents gain access to personal data, the "language" of your documents and invites becomes a potential attack surface.

Expert Takeaway

"Vulnerabilities are no longer confined to code. They now live in language, context, and AI behavior at runtime." Liad Eliyahu, Head of Research at Miggo Security.​

Similar Blogs

Critical Advisory: n8n RCE Vulnerability (CVE-2026-21858) Exposes Automation Pipelines
Published: January 22, 2026

Critical Advisory: n8n RCE Vulnerability (CVE-2026-21858) Exposes Automation Pipelines

A critical RCE (CVSS 10.0) in n8n exposes automation pipelines and stored secrets to full compromise—upgrade to version 1.36.1 immediately.

Read More →
Why Shift-Left Security Alone Is Insufficient — And Why AI Must Become a Continuous Layer of Defense
Published: January 21, 2026

Why Shift-Left Security Alone Is Insufficient — And Why AI Must Become a Continuous Layer of Defense

Pre-production checks cannot secure a dynamic cloud. Find out how AI bridges the visibility gap between deployment and defense to catch what Shift-Left misses.

Read More →
How to Prevent Cloud Misconfiguration for Secure IT
Published: January 20, 2026

How to Prevent Cloud Misconfiguration for Secure IT

Misconfigurations are the #1 cause of cloud breaches—discover how to move from "finding" them to "fixing" them with AI-driven guardrails.

Read More →