A recently disclosed vulnerability in Google’s AI assistant Gemini allowed attackers to extract private meeting details from a victim’s Google Calendar without direct user interaction. According to cybersecurity firm Miggo, the flaw stemmed from an indirect prompt injection technique that abused Gemini’s deep integration with Calendar. Google has since confirmed and fixed the issue, but the incident highlights a growing class of AI-native security risks tied to natural language interpretation and tool permissions.

As generative AI assistants become embedded across productivity platforms, they increasingly operate with broad contextual awareness and elevated privileges. Gemini, Google’s AI assistant, parses calendar events to help users summarize schedules, prepare for meetings, and manage time. While this design improves usability, it also expands the attack surface when AI systems automatically ingest and act on user-controlled data fields such as event descriptions.

Miggo researchers demonstrated that an attacker could create a malicious Google Calendar event and send it as an invite to a targeted user. The event contained carefully crafted natural language instructions embedded in the description field.

When the victim later asked Gemini a routine question about their schedule, the AI interpreted those instructions and executed them. The result was the creation of a new calendar event containing summaries of the victim’s private meetings. That newly generated event, including sensitive details, was then accessible to the attacker.

The attack relied on indirect prompt injection, a technique where malicious instructions are hidden inside trusted data sources rather than delivered directly to the AI.

Gemini automatically ingests calendar metadata such as titles, descriptions, attendees, and times. By embedding a syntactically harmless but semantically dangerous payload in the event description, attackers were able to influence Gemini’s behavior.

The payload instructed Gemini to summarize private meetings and write the output into a new calendar event. Because Gemini executed the request using its legitimate permissions, existing privacy controls were bypassed. The attack required no explicit approval and produced no obvious warning to the user.

Successful exploitation could expose sensitive meeting information, including private events, attendees, and schedules. This presents risks for individuals, enterprises, and executives whose calendars often contain confidential business or personal data.

While there is no indication of widespread abuse, the proof-of-concept demonstrates how AI assistants can unintentionally act as data exfiltration channels when permission boundaries are poorly enforced.

This incident underscores a fundamental shift in application security. Traditional defenses focus on code paths and input validation, but AI systems interpret intent rather than fixed commands.

Attackers can now hide malicious logic inside natural language that appears benign. As AI assistants gain broader access to internal tools, organizations must rethink how trust, context, and permissions are enforced across AI-driven workflows.

Miggo emphasized that pattern-based defenses are insufficient against these attacks. Because the malicious instructions closely resemble legitimate user requests, detection requires deeper contextual and semantic analysis rather than static filtering.

Google acknowledged the issue and deployed mitigations, signaling growing awareness of prompt injection risks across AI ecosystems.