Article Details

Gemini AI assistant tricked into leaking Google Calendar data. Using only natural language instructions, researchers were able to bypass Google Gemini's defenses against malicious prompt injection and create misleading events to leak private Calendar data. Sensitive data could be exfiltrated this way, delivered to an attacker inside the description of a Calendar event. Gemini is Google’s large language model (LLM) assistant, integrated across multiple Google web services and Workspace apps, including Gmail and Calendar. It can summarize and draft emails, answer questions, or manage events. The recently discovered Gemini-based Calendar invite attack starts by sending the target an invite to an event with a description crafted as a prompt-injection payload. To trigger the exfiltration activity, the victim would only have to ask Gemini about their schedule. This would cause Google's assistant to load and parse all relevant events, including the one with the attacker's payload. Researchers at Miggo Security, an Application Detection & Response (ADR) platform, found that they could trick Gemini into leaking Calendar data by passing the assistant natural language instructions: "Because Gemini automatically ingests and interprets event data to be helpful, an attacker who can influence event fields can plant natural language instructions that the model may later execute," the researchers explain. By controlling the description field of an event, they discovered that they could plant a prompt that Google Gemini would obey, although it had a harmful outcome. Once the attacker sent the malicious invite, the payload would be dormant until the victim asked Gemini a routine question about their schedule. When Gemini executes the embedded instructions in the malicious Calendar invite, it creates a new event and writes the private meeting summary in its description. In many enterprise setups, the updated description would be visible to event participants, thus leaking private and potentially sensitive information to the attacker. Miggo comments that, while Google uses a separate, isolated model to detect malicious prompts in the primary Gemini assistant, their attack bypassed this failsafe because the instructions appeared safe. Prompt injection attacks via malicious Calendar event titles are not new. In August 2025, SafeBreach demonstrated that a malicious Google Calendar invite could be used to leak sensitive user data by taking control of Gemini's agents. Miggo's head of research, Liad Eliyahu, told BleepingComputer that the new attack shows how Gemini’s reasoning capabilities remained vulnerable to manipulation that evades active security warnings, and despite Google implementing additional defenses following SafeBreach’s report. Miggo has shared its findings with Google, and the tech giant has added new mitigations to block such attacks. However, Miggo’s attack concept highlights the complexities of foreseeing new exploitation and manipulation models in AI systems whose APIs are driven by natural language with ambiguous intent. The researchers suggest that application security must evolve from syntactic detection to context-aware defenses. The 2026 CISO Budget Benchmark It's budget season! Over 300 CISOs and security leaders have shared how they're planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026. Learn how top leaders are turning investment into measurable impact.