Vercel’s CLI, when running in non‑interactive mode or when an AI agent is auto‑detected, produces JSON payloads that include suggested command prompts. If a user supplies a token via the --token or -t flag, the CLI inserts that plaintext token into the suggested command. This results in the token being present in the output, which can be written to CI/CD logs, agent transcripts, or any other automation logs. An attacker who can read those logs could obtain the bearer token, granting unauthorized access to the user’s Vercel account or associated services. The flaw is an information‑exposure weakness (CWE‑200) and a log file disclosure flaw (CWE‑532).

The vulnerability affects the Vercel CLI version range from 50.16.0 through 52.0.0 inclusive. Users who run these versions in non‑interactive mode or with an auto‑detected AI agent and provide an authentication token on the command line are impacted. Version 52.0.1 and later contain the fix, removing the token from suggested command outputs.

The CVSS score is 5.5, indicating moderate severity. The EPSS score is not published, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the attacker to have at least read access to the logs or other automation output produced by the CLI. If such access exists, the attacker could capture the exposed token; otherwise, the risk is limited. In typical CI/CD pipelines where tokens are often written to logs, the practical attack vector is likely to be log exposure, making the weakness a moderate but real risk for accounts with sensitive tokens.