Skip to main content

Vercel AI SDK CVE-2026-8767

| EUVDEUVD-2026-30714 LOW
OS Command Injection (CWE-78)
2026-05-17 VulDB GHSA-9pj2-3x6v-c3pp
1.3
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.3 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 17, 2026 - 23:30 vuln.today
Severity Changed
May 17, 2026 - 23:22 NVD
MEDIUM LOW
CVSS changed
May 17, 2026 - 23:22 NVD
5.0 (MEDIUM) 1.3 (LOW)

DescriptionCVE.org

A vulnerability has been found in vercel ai up to 3.0.97. Impacted is the function run of the file .github/workflows/prettier-on-automerge.yml of the component PR Branch Name Interpolation. The manipulation leads to os command injection. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

OS command injection in Vercel AI SDK versions up to 3.0.97 allows authenticated remote attackers with pull request creation privileges to execute arbitrary commands on CI/CD runners through malicious branch names. The vulnerability resides in the prettier-on-automerge GitHub Actions workflow, which insecurely interpolates PR branch names into shell commands. A public proof-of-concept exploit exists (disclosed via GitHub Gist), demonstrating feasibility despite CVSS 4.0 rating the complexity as high (AC:H) and exploitability as difficult. The vendor (Vercel) was notified but has not responded, and no patch availability is confirmed from vendor sources at time of analysis.

Technical ContextAI

This vulnerability affects the Vercel AI SDK's GitHub Actions CI/CD workflow configuration. The file .github/workflows/prettier-on-automerge.yml contains a run step that performs unsanitized string interpolation of GitHub pull request branch names into shell commands. CWE-78 (OS Command Injection) occurs when user-controlled data-in this case, the branch name chosen by a contributor-is passed directly to a shell interpreter without proper escaping or validation. GitHub Actions contexts like github.head_ref or github.event.pull_request.head.ref are treated as trusted inputs by many workflow authors, but these values are attacker-controllable when a user creates a pull request from a fork with a specially-crafted branch name. The CPE identifier cpe:2.3:a:vercel:ai:*:*:*:*:*:*:*:* confirms the affected product is the Vercel AI library/SDK itself, not a SaaS platform component. The CVSS 4.0 vector indicates network-based attack (AV:N), high complexity (AC:H), low privileges required (PR:L), and proof-of-concept exploit availability (E:P), with low confidentiality, integrity, and availability impacts (VC:L/VI:L/VA:L) scoped to the vulnerable component only (SC:N/SI:N/SA:N).

RemediationAI

No vendor-released patch version has been confirmed at time of analysis-Vercel was contacted during responsible disclosure but did not respond per VulDB submission 811402. Organizations should immediately implement compensating controls: First, audit all GitHub Actions workflows in the Vercel AI SDK repository for instances of unsanitized branch name or pull request title interpolation (search for github.head_ref, github.event.pull_request.head.ref, or similar context variables used in run: blocks without proper quoting). Second, modify the .github/workflows/prettier-on-automerge.yml workflow to sanitize inputs-replace direct interpolation with validated environment variables or use GitHub Actions expressions that automatically escape shell metacharacters. Third, restrict pull request workflow triggers to trusted branches only using pull_request_target with explicit paths and branches filters, and avoid checking out untrusted code in workflows with write permissions. Fourth, apply principle of least privilege to GitHub Actions workflows by using separate tokens with minimal scopes and avoiding storage of production credentials in CI secrets accessible to PR workflows. Note that disabling the prettier-on-automerge workflow entirely eliminates this attack surface but removes automated code formatting functionality. Monitor the upstream Vercel AI SDK repository (https://github.com/vercel/ai) for security advisories and patch releases beyond version 3.0.97. VulDB reference: https://vuldb.com/vuln/364392/cti

Share

CVE-2026-8767 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy