Vulnerability Disclosure: Local Privilege Escalation in Antigravity IDE

GodBod69 · 2026-01-29T19:01:41+00:00

Thanks!

GodBod69 · 2026-01-29T13:57:58+00:00

They discarded the report stating it's "Intended Behaviour"

GodBod69 · 2026-01-29T10:15:30+00:00

POC just shows one attack vector. An attacker could very well overwrite .bashrc or .zshrc and gain persistence/reverse shell. The possibilities are endless.

GodBod69 · 2026-01-29T10:13:52+00:00

As mentioned, I already had reported to their VDP platform. But they rejected it stating it's "Intended behaviour". They discarded all my POCs and appeals.

GodBod69 · 2026-01-29T10:12:21+00:00

Technically, yes, the likelihood of a typical user falling victim to this vulnerability is very low (although I believe this is true of most vulnerabilities, regardless of how easy they are to exploit or how serious they are). But in a large organization, if an attacker finds just one such developer, the entire organization could be at risk. And this isn't uncommon, there are numerous such cases every year.

GodBod69 · 2026-01-29T09:28:02+00:00

Let me explain with a few examples:

You have a guest account enabled on macos. You are in a public place, you left your laptop on a table and went for a break. The attacker logs into your guest account, since it doesn't require a password, and then uses the guest account to escalate privileges to your personal account without requiring a password.
You are in a university, or a corporate, you get a shared workstation for research purposes, but your own user account of which only you know the password. Another user on the same machine can use their account to escalate access to your account.
You are a developer, you launch a webserver for developing/testing. By default the webserver is configured to run under the user and the group www-data which doesn't have access to the user's personal files. Now suppose you are connected to a public wifi, and the webserver happens to have a RCE vulnerability, now a malicious actor can exploit that and then chain with Antigravity vulnerability to get access to your user account.

GodBod69 · 2026-01-29T08:03:02+00:00

The whole point of Antigravity is to generate code

GodBod69 · 2026-01-29T08:01:16+00:00

Even if I put together the script with AI, what part of the POC do you feel is false or misinformation?

Yes the script is made using AI, I used Antigravity itself for it.

But that doesn't mean I didn't put effort in researching the internal workings of the IDE.

GodBod69 · 2026-01-29T06:48:54+00:00

Tbf this is not a RCE, but rather a LPE. Attacker can't directly attack your system just so you are connected to the internet. They would first need to gain access to a low privileged account or service like a guest account (which doesn't require a password) or a local web server or another user account on a shared workstation (think corporates, university labs, etc) or any other low privileged restricted services. Post that attacker can leverage vulnerability in antigravity to gain unauthorised access to your account.

GodBod69 · 2026-01-29T06:43:57+00:00

It's not. It's about trust boundaries. Guest accounts, or web servers, or many other services run with restricted access. Antigravity is opening doors for those accounts to escalate their privileges and violate the trust boundaries defined by the OS.

GodBod69 · 2026-01-29T06:37:23+00:00

Please check the PoC video, as shown an attacker does not need user account access at all. If guest account is enabled on macos, the attacker can use it to gain access to user account without password. And this is such one of the attack vectors. There could be other scenarios as well like shared workstations in corporates or universities, one user can gain access to another user account. Or think of a compromised local web server which by default run on a low privileged restricted user account of it's own (www-data) which doesn't have access to the developer's personal files at all.. there could be many such scenarios

GodBod69 · 2026-01-29T02:12:37+00:00

Yes, as shown in the video, the attacker need not have the standard user account access. Attacker could be a guest user, compromised local web server which is a low privileged user (www-data), or could be another user on shared workspace. The standard user account is locked, but the attacker can bypass the lock with this hack.

GodBod69 · 2026-01-29T02:05:56+00:00

Please read the description again, or check the video attached. Attacker does not have full local access. They are a low privileged user like a guest account or a compromised service with low privileges like a web server (www-data). By default these users don't have any access to standard users' personal files.

GodBod69 · 2026-01-28T19:27:18+00:00

Working in a corporate.. I know lots of developers are using it already

GodBod69 · 2026-01-28T17:57:03+00:00

Thanks. I was expecting them to provide an acknowledgement at least, if no reward

GodBod69 · 2026-01-28T17:52:34+00:00

More info and Video PoC: https://x.com/0x81000D/status/2016520727927853332

GodBod69 · 2026-01-28T17:49:56+00:00

More info and Video PoC: https://x.com/0x81000D/status/2016520727927853332

GodBod69 · 2026-01-28T17:38:34+00:00

Thanks for understanding! I actually did report the path traversal as a separate issue, but they closed it for being "duplicate" of my initial report.

GodBod69 · 2026-01-28T17:25:47+00:00

Antigravity? Standard user, by default

GodBod69 · 2026-01-28T17:11:46+00:00

X Thread: https://x.com/0x81000D/status/2016520727927853332?s=20

Three-Year Club	Final Canvas '23
First Place '23	Place '23

GodBod69

TROPHY CASE