GitHub CLI CVE-2026-59831
MEDIUMSeverity by source
AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
Requires authenticated GitHub user (PR:L) to actively connect to a malicious Codespace (AC:H, UI:R); scope changes as VS Code handles the injected URI on the local machine (S:C).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
GitHub CLI (gh) is GitHub’s official command line tool. From 2.10.0 through 2.95.0, connecting to a malicious Codespace with gh codespace jupyter can allow command execution because the command opens a JupyterLab URL supplied by a process inside the Codespace without validating that it is a loopback HTTP or HTTPS address, allowing a crafted vscode:// or vscode-insiders:// URL to be handed to VS Code. This issue is fixed in version 2.96.0.
AnalysisAI
Command execution via URI injection in GitHub CLI's gh codespace jupyter subcommand (versions 2.10.0-2.95.0) allows an attacker who controls a Codespace to redirect a connecting developer's VS Code instance into executing arbitrary protocol handler actions. The CLI passes a JupyterLab URL sourced from a process inside the Codespace directly to the OS without validating that the URL is a loopback HTTP or HTTPS address, enabling substitution with a crafted vscode:// or vscode-insiders:// URI. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The victim must be an authenticated GitHub user (PR:L) and must actively run `gh codespace jupyter` targeting an attacker-controlled or compromised Codespace - passive exploitation is not possible (UI:R). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS base score of 4.4 (Medium) with vector CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N accurately captures the constrained but real threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker creates a public or shared GitHub Codespace and configures a background process to intercept or replace the JupyterLab startup URL with a crafted `vscode://ms-vscode-remote.remote-containers/cloneInVolume?url=attacker-server` URI. When a developer runs `gh codespace jupyter` to work in that Codespace, the CLI receives the spoofed URI and dispatches it to the OS without validation, causing VS Code to process the protocol handler and potentially clone a malicious repository or invoke a VS Code extension command on the developer's local machine. … |
| Remediation | Upgrade GitHub CLI to version 2.96.0 or later, which introduces loopback URL validation before dispatching JupyterLab URLs to the OS. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Snyk CLI before 1.996.0 allows arbitrary command execution, affecting Snyk IDE plugins and the snyk npm package. Rated h
The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH serve
Symlink-following vulnerabilities in Capgo CLI before version 12.128.2 (npm @capgo/cli < 7.84.6) allow an attacker who c
The CLI in Cisco IOS XR allows remote authenticated users to obtain sensitive information via unspecified commands, aka
Terminal escape sequence injection in GitHub CLI 1.6.0 through 2.91.x allows authenticated attackers with pull request c
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today