Vercel CLI CVE-2026-44479
MEDIUMSeverity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
When the Vercel CLI runs in non-interactive mode (--non-interactive or auto-detected AI agent), commands that cannot complete autonomously emit JSON payloads with suggested follow-up commands. If the user authenticated via --token or -t on the command line, the token value is included verbatim in those suggestions.
Conditions
All three must be true for the token to appear in output:
- Token passed as a CLI argument (
--token/-t). TheVERCEL_TOKENenvironment variable is not affected. - Non-interactive mode is active (explicit flag or AI agent auto-detection).
- The command cannot complete on its own (e.g. missing
--yes, ambiguous scope, API errors). Successful commands produce no suggestion output.
Impact
The plaintext token may be captured in CI/CD logs, agent transcripts, or other automation output.
Remediation
- Upgrade to the patched version.
- If developers have previously used
--tokenwith--non-interactivein their applications, review logs for exposed tokens and rotate them. - Prefer
VERCEL_TOKENenvironment variable for authentication.
AnalysisAI
Vercel CLI leaks authentication tokens in JSON output when running in non-interactive mode with credentials passed via command-line arguments. Affected versions 50.16.0 through 52.0.0 expose plaintext tokens in suggested follow-up commands when operations cannot complete autonomously, allowing token capture in CI/CD logs and automation transcripts. Information disclosure risk is elevated in automated deployment pipelines where CLI output is logged.
Technical ContextAI
The Vercel CLI (npm package 'vercel') implements a non-interactive execution mode triggered by the --non-interactive flag or automatic detection of AI agent environments. When commands fail to complete autonomously (due to missing flags like --yes, ambiguous scopes, or API errors), the CLI generates JSON payloads containing suggested follow-up commands. The vulnerability exists because the CLI argument parser preserves the raw --token or -t parameter value in these suggestion payloads without sanitization. This is distinct from the VERCEL_TOKEN environment variable mechanism, which is not affected. The root cause is CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) - the token exposure occurs through informational output channels (logs, transcripts) rather than through direct API exposure.
RemediationAI
Immediate: Upgrade Vercel CLI to version 52.0.1 or later (npm install -g vercel@>=52.0.1). Critical follow-up: If --token has been used with --non-interactive in CI/CD workflows prior to upgrade, manually review all CI/CD logs, build artifacts, agent transcripts, and log retention services for exposed tokens, then rotate all exposed tokens via the Vercel dashboard to invalidate them. Long-term: Replace --token command-line usage with VERCEL_TOKEN environment variable for all automation and CI/CD pipelines; environment variables are not leaked in this vulnerability. Note the remediation trade-off: environment variable authentication requires CI/CD secret management setup but eliminates both this and similar token-leakage risks.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-pgf8-2hgj-grqg