Skip to main content

GitHub CLI EUVDEUVD-2026-30549

| CVE-2026-45803 LOW
Improper Neutralization of Escape, Meta, or Control Sequences (CWE-150)
2026-05-15 GitHub_M GHSA-crc3-h8v6-qh57
3.5
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.5 LOW
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
May 15, 2026 - 17:01 EUVD
Analysis Generated
May 15, 2026 - 16:30 vuln.today

DescriptionGitHub Advisory

gh is GitHub’s official command line tool. From 1.6.0 to before 2.92.0, a security vulnerability has been identified in GitHub CLI that could allow terminal escape sequence injection when users view GitHub Actions workflow logs using gh run view --log or gh run view --log-failed. The vulnerability stems from the way GitHub CLI handles raw Actions log output. The gh run view --log and gh run view --log-failed commands stream workflow log lines to stdout or the configured pager without sanitizing terminal control sequences. An attacker who can influence GitHub Actions log content, for example via a PR triggered workflow, can embed escape sequences that are replayed in the user's terminal when they inspect the run. Depending on the victim's terminal emulator, injected sequences could change the window title, manipulate on screen content, or in some terminal emulators (such as screen) potentially execute arbitrary commands. This vulnerability is fixed in 2.92.0.

AnalysisAI

Terminal escape sequence injection in GitHub CLI 1.6.0 through 2.91.x allows authenticated attackers with pull request creation rights to inject malicious terminal control sequences into Actions workflow logs. When victims execute 'gh run view --log' or 'gh run view --log-failed' to inspect workflow runs, unsanitized escape sequences replay in their terminal, enabling window title manipulation, on-screen content alteration, or arbitrary command execution in vulnerable emulators like GNU screen. The attack requires low complexity and user interaction (victim must view logs), with impact limited to terminal integrity. CVSS score of 3.5 reflects low-severity integrity impact, though real-world risk varies significantly by terminal emulator capabilities. No active exploitation confirmed at time of analysis.

Technical ContextAI

This vulnerability exploits CWE-150 (Improper Neutralization of Escape, Meta, or Control Sequences) in GitHub CLI's log streaming implementation. The affected commands pipe raw GitHub Actions log output directly to stdout or configured pagers without sanitizing ANSI escape sequences or terminal control characters. GitHub Actions workflows can embed arbitrary text in logs through echo statements, error messages, or tool output. Terminal emulators interpret escape sequences like CSI (Control Sequence Introducer) codes for cursor manipulation, OSC (Operating System Command) sequences for window title changes, and in legacy multiplexers like GNU screen, potentially DCS (Device Control String) sequences that can trigger command execution. The CPE identifier 'cpe:2.3:a:cli:cli:*:*:*:*:*:*:*:*' indicates the CLI product itself, with GitHub confirming the vulnerable code path exists in the run view log display functions from version 1.6.0 forward.

RemediationAI

Upgrade GitHub CLI to version 2.92.0 or later, which implements terminal escape sequence sanitization in log output handlers. Users can verify their version with 'gh version' and update via package managers (brew upgrade gh, apt upgrade gh-cli, choco upgrade gh) or direct download from https://github.com/cli/cli/releases/tag/v2.92.0. For environments unable to immediately upgrade, implement compensating controls: configure pager to strip ANSI sequences by setting 'export GH_PAGER="less -r"' which processes color codes but blocks control sequences, or redirect log output through 'gh run view --log | cat' to strip all escape sequences (eliminates color formatting but neutralizes injection). Restrict GitHub Actions workflow modification permissions to trusted contributors only, preventing malicious PR authors from injecting log content. Organizations using GNU screen or other legacy terminal multiplexers should prioritize patching due to elevated command execution risk. Review recent workflow logs for suspicious escape sequences using 'gh run view --log | od -c' to detect non-printable characters. The vendor advisory at https://github.com/cli/cli/security/advisories/GHSA-crc3-h8v6-qh57 confirms no side effects from the 2.92.0 patch beyond the intended sanitization behavior.

Share

EUVD-2026-30549 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy