A vulnerability in Google’s Gemini AI model that could allow bad actors to go around privacy controls in Google Calendar and access and leak private meeting data is the latest example of how traditional cybersecurity struggles to keep up with threats posed by AI, according to researchers with application security firm Miggo.

Using an indirect prompt injection technique, they were able to manipulate Gemini and abuse its role as an assistant for Google Calendar. Gemini can parse the full context of a user’s calendar events, from titles and time to attendees and descripts, which allows it to answer questions the user might have, including about their schedule on a particular day.

“The mechanism for this attack exploits that integration,” Liad Eliyahu, head of research for Miggo, wrote in a report this week. “Because Gemini automatically ingests and interprets event data to be helpful, an attacker who can influence event fields can plant natural language instructions that the model may later execute.”

The researchers were able to exploit the vulnerability with three steps. They created a new calendar event that included an embedded prompt-injection payload that instructed Gemini to summarize all of the targeted user’s meeting on a specific day – this included private meetings – and sent an invite the user.

The promote also told Gemini to exfiltrate the data by writing it into the description of a new calendar event and then gave the user a harmless response – “it’s a free time slot” – to hide its intent.

“The payload was syntactically innocuous, meaning it was plausible as a user request,” Eliyahu wrote. “However, it was semantically harmful … when executed with the model tool’s permissions.”

Payload Comes into Play

The payload was kicked into action when the user asked Gemini an everyday question about their schedule, such as “Hey, Gemini, am I free on Saturday?” The request led to Gemini loading and parsing all relevant calendar events, including the hacker’s malicious one, and activating the payload.

To the user, Gemini appeared to be acting normally when replying, “it’s a free time slot.”

“Behind the scenes, however, Gemini created a new calendar event and wrote a full summary of our target user’s private meetings in the event’s description,” he wrote. “In many enterprise calendar configurations, the new event was visible to the attacker, allowing them to read the exfiltrated private data without the target user ever taking any action.”

Miggo alerted Google to the vulnerability, with the tech giant confirming the findings and mitigating the flaw.

Syntactic vs. Semantic Threats

That said, the bigger issue is that the exploitation of the flaw highlights how securing AI-based applications is a different challenge for security teams.

“Traditional application security (AppSec) is largely syntactic,” Eliyahu wrote. “We look for high-signal strings and patterns, such as SQL payloads, script tags, or escaping anomalies, and block or sanitize them. … In contrast, vulnerabilities in LLM [large language model] powered systems are semantic. This shift shows how simple pattern-based defenses are inadequate. Attackers can hide intent in otherwise benign language, and rely on the model’s interpretation of language to determine the exploitability.”

In Miggo’s testing, Gemini did act as a chat interface, but also operated as an application layer with access to tools and APIs, with Eliyahu noting that “when an application’s API surface is natural language, the attack layer becomes ‘fuzzy.’ Instructions that are semantically malicious can look linguistically identical to legitimate user queries.”

He added that “this Gemini vulnerability isn’t just an isolated edge case. Rather, it is a case study in how detection is struggling to keep up with AI-native threats.”

New Security Thinking Needed

In response, security teams need to move beyond keywork blocking and create runtime systems that can reason about semantics, attribute intent, and track data provenance, creating security controls that treat LLMs as full application layers with privileges that can be governed.

“Securing the next generation of AI-enabled products will be an interdisciplinary effort that combines model-level safeguards, robust runtime policy enforcement, developer discipline, and continuous monitoring,” Eliyahu wrote. “Only with that combination can we close the semantic gaps attackers are now exploiting.”