Skip to main content

Vercel CLI CVE-2026-44479

MEDIUM
Information Exposure (CWE-200)
2026-05-07 https://github.com/vercel/vercel GHSA-pgf8-2hgj-grqg
5.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 07, 2026 - 00:32 vuln.today
Analysis Generated
May 07, 2026 - 00:32 vuln.today
CVE Published
May 07, 2026 - 00:05 nvd
MEDIUM 5.5

DescriptionGitHub Advisory

Summary

When the Vercel CLI runs in non-interactive mode (--non-interactive or auto-detected AI agent), commands that cannot complete autonomously emit JSON payloads with suggested follow-up commands. If the user authenticated via --token or -t on the command line, the token value is included verbatim in those suggestions.

Conditions

All three must be true for the token to appear in output:

  1. Token passed as a CLI argument (--token / -t). The VERCEL_TOKEN environment variable is not affected.
  2. Non-interactive mode is active (explicit flag or AI agent auto-detection).
  3. The command cannot complete on its own (e.g. missing --yes, ambiguous scope, API errors). Successful commands produce no suggestion output.

Impact

The plaintext token may be captured in CI/CD logs, agent transcripts, or other automation output.

Remediation

  • Upgrade to the patched version.
  • If developers have previously used --token with --non-interactive in their applications, review logs for exposed tokens and rotate them.
  • Prefer VERCEL_TOKEN environment variable for authentication.

AnalysisAI

Vercel CLI leaks authentication tokens in JSON output when running in non-interactive mode with credentials passed via command-line arguments. Affected versions 50.16.0 through 52.0.0 expose plaintext tokens in suggested follow-up commands when operations cannot complete autonomously, allowing token capture in CI/CD logs and automation transcripts. Information disclosure risk is elevated in automated deployment pipelines where CLI output is logged.

Technical ContextAI

The Vercel CLI (npm package 'vercel') implements a non-interactive execution mode triggered by the --non-interactive flag or automatic detection of AI agent environments. When commands fail to complete autonomously (due to missing flags like --yes, ambiguous scopes, or API errors), the CLI generates JSON payloads containing suggested follow-up commands. The vulnerability exists because the CLI argument parser preserves the raw --token or -t parameter value in these suggestion payloads without sanitization. This is distinct from the VERCEL_TOKEN environment variable mechanism, which is not affected. The root cause is CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) - the token exposure occurs through informational output channels (logs, transcripts) rather than through direct API exposure.

RemediationAI

Immediate: Upgrade Vercel CLI to version 52.0.1 or later (npm install -g vercel@>=52.0.1). Critical follow-up: If --token has been used with --non-interactive in CI/CD workflows prior to upgrade, manually review all CI/CD logs, build artifacts, agent transcripts, and log retention services for exposed tokens, then rotate all exposed tokens via the Vercel dashboard to invalidate them. Long-term: Replace --token command-line usage with VERCEL_TOKEN environment variable for all automation and CI/CD pipelines; environment variables are not leaked in this vulnerability. Note the remediation trade-off: environment variable authentication requires CI/CD secret management setup but eliminates both this and similar token-leakage risks.

Share

CVE-2026-44479 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy